I have a Chromecast with Google TV. From the app browser I installed an apk downloader and sideloaded Chrome. In chrome, I turned on account sync, and browsed straight to my G-Mail. No password prompt.
I assume I could do this at anyone's home.
EDIT: TL/DR your chromecast is effectively an always-unlocked cell phone, signed in to your Google account.
If you signed into the Chromecast with your own personal Google account, then yes, all apps and services installed on the device will work with that account automatically (Gmail, YouTube, etc.). Yes, your family can see your personal YouTube watched video history if you are using your personal account on your Chromecast.
If you don't want your family to read your email, etc., then create a dummy Google account and sign into your Chromecast with that instead. However, doing this will be a pain in the ass because you will have to manually type all your account usernames and passwords for everything (Disney+, Netflix, HBO Max, etc.).
Bottom line, it's not a security vulnerability, it's a user error in failing to understand the device and how it works.
You're right, although you can password protect purchases so nobody can spend your money, you're signed in after all.
Didn't think of that... it's effectively like having an unlocked phone around.
Edit: Guess it makes sense from the security point of view to have separate accounts for entertainment and personal stuff and keep the personal one just in personal / secured devices. Cool, I'll do that, thanks for pointing out this issue! In the old Chromecast it wasn't a problem :)
Edit 2: Android TV has a restricted profile that might be what you want (full control is PIN protected), but I can't find that feature in Google TV.
You did turn on account sync, what did u expect?