You’re right, they could’ve made it optional, but the concern as I read it is that someone with Checkmk access now also has (clunky but functional) HTTP access to anything Checkmk can access (e.g. if you allow it to access a sensitive system for HTTP health monitoring, you could use this report feature to view the contents of those pages).
The problem with making those sorts of things optional, mind you, is that the people picking the options often aren’t thinking about it as a security control.