What I don't get is why a GRUB password can't be off by default?
It can. I do not know if there even exists another distribution that sets a GRUB password by default.
How does that lead to a user being able to log in straight as root without a password??? (...) I do have a user password
Within GRUB, you can edit the options passed to the kernel. By adding "single", the kernel directly gives a root terminal. No password asked. That sometimes is useful. Consider, e.g., a system with one single user who forgot her password. She can redefine it with 'passwd' in the root terminal. Simple. In fact many distributions have "recovery mode menu entries" by default.
By default, Trisquel's GRUB asks for a password to do anything but boot one of the system with the default options. That make it difficult for beginners to solve problems such as the password issue mentioned above. And that is only an example. Another one is the use of memtest86+ to test the RAM. One cannot run it without the GRUB password or without disabling it. https://trisquel.info/search/node/01_password lists many other real examples.
That can look scary that anybody facing the GRUB menu can easily get a root terminal. But facing the GRUB menu means facing the physical computer. One cannot remotely interact with GRUB. And facing the physical computer usually means being able to boot a live system and read the GRUB password or simply 'chroot' into the installed system (i.e., get a root terminal in the installed system).
I wrote "usually" because encrypting the whole disk prevents that. And, in this case, the passphrase to read the disk is always asked, GRUB password or not. Encryption provides a real additional security... but a user who forgets the related passphrase is a user who has lost all her data forever!
Back to the absence of additional security with a GRUB password: quidam pointed out that the BIOS/EFI can be configured to not let the attacker boot a Live system (any recovery operation becomes even harder!). But, again: she is facing the computer. She can open the computer and take the disk home. Or the whole computer (especially if it is laptop).
Remain the cases where the computer by itself is not physically accessible. Only the screen, the keyboard and the mouse. Kiosks basically. Or the cases where the attacker is under enough "surveillance" to prevent her from opening/stealing the computer. Internet Cafés for example. In those cases, preventing the users from getting a GRUB Shell prompt makes sense. I do not think Trisquel mainly targets those rare contexts though. And, in those contexts, who installs the system should be skilled enough to know how to setup a GRUB password.
