Who on earth would want to query the spend secret key over wallet RPC?
https://github.com/sumoprojects/sumokoin/commit/819f7e6e0eff6e4f7f41eca32f2e9df1d9b92e03If the connection was somehow compromised and an attacker managed to see this data, all your money would be gone. Only a fool would use this feature.
The developers seem neither competent nor serious about security, which explains why the very old bug in the wallet has been left unsolved for a long time.
1. First, seed words can be retrieved via wallet RPC too, what's different from spendkey if connection is somehow compromised?
2. Second, wallet RPC only for local access (127.0.0.1) by default, no fools open it to the world, so that you have to compromise the PC/server first to access to the RPC wallet connection (if it's not secured by a passphrase).
3. Last, GUI wallet does use RPC but only it can connect to the RPC because there is a secret passphrase (via --user-agent parameter) random generated at each section and only RPC and the wallet know it. Any attempt to access to wallet RPC, even from local PC, will be denied.
Thanks @quangvhg for clearance but I think it's a valid concern on the wallet RPC security. Ofc, there is hardly anyone who risk their money by opening wallet RPC access to the wild.
Currently, wallet RPC is mostly used by mining pools and exchanges for payment. In these cases, the wallet security largely depends on the system security. If a hacker can access to the exchange servers he might compromise the wallet RPC as well but we can't do anything abt their system security.
There are some known issues with current GUI version, mostly due to the daemon synchronization and corrupted wallet file on creation. It's first beta version and we'll fix them, sorry for inconvenience.