When ingesting something without providing an ACL, the ingest service currently appends a custom Acl (as a series Acl, strangely enough) that grants read access to the anonymous role and in develop also write access to the "global capture agent role".
This is at least surprising (as evidenced by the lengthy thread on the German user list: https://groups.google.com/a/opencast.org/forum/#!topic/anwender/qj94Xqr2Luw, and seeing that other places of the Opencast code base fall back to *another* default), if not a security risk.
You can test this for yourself for example using the ingest scripts found here: https://github.com/opencast/helper-scripts/tree/master/ingest. Note that the "New Event Wizard" in the admin UI *always* attaches an ACL.