Comment 5 for bug 21994

Booting with init=/bin/sh could be prevented by a bootloader password. You have in fact just given an excellent example of why a bootloader password is required if you are in an environment where this issue matters; init=/bin/sh completely bypasses any "protection" we might apply to recovery mode.

In the absence of such an environment where presumably there is local help at hand if necessary, we feel that it is far better to provide an escape hatch in case users lock themselves out of their own computers by mistake. Given physical access, as has already been noted on this bug, there are changes beyond our control that would be needed to prevent this in any case.