Protected variable falls back to empty string (with dire consequences)

I’ve noticed this behavior and it’s had a pretty bad outcome for us, posting to see if this is intentional, or if I should file a bug report.

CI/CD variables are now protected by default. When trying to access these from an unprotected branch, this doesn’t produce an error, but rather the variable defaults to an empty string.

In our case we had the following variables:

S3_BUCKET (unprotected)
S3_PATH (protected, unintentionally, should've been set to unprotected)

In our .gitlab-ci.yml we had then following line:

- aws s3 sync build/ s3://$S3_BUCKET/$S3_PATH --delete --acl public-read

The pipeline was then run from an unprotected branch. As a consequence it did fill in the S3_BUCKET variable, but also the S3_PATH which became an empty string. So instead of deploying to the specified path, it deployed to the s3 bucket root, deleting everything in the bucket in the process!

Would be glad to hear your thoughts on this.