I think we should disable the /+changelog route used for replication by default and add a new command line option to explicitly enable it. This will prevent accidental exposure of data like password hashes.
This is a backward incompatible change, but wouldn't require import/export. Most installations aren't using replication and anyone who does should read the changelog anyway. So I would propose to skip the increase of the major version.