That's hardly an unexpected security hole - most of my devices maintain local copies of everything in my Dropbox folder (phone/iPad excepted). Requiring password/two factor auth to get at the cloud hosted version of something in the local filesystem would achieve pretty much nothing.

Maybe there's people using Dropbox in some other fashion, but surely this is the intended/common use case?