The current default in Spring Security is that all its observations--filter chain, authentication, and authorization--are made.
In #15678, SecurityObservationSettings was added so that applications could easily change these settings. Its default is that filter chain observations are off. That is, one can opt-in to the new set of defaults by publishing this bean.
This should become the default setting even if there isn't a SecurityObservationSettings bean present.