Many packages secure certain parts of the Meteor stack, but even then, you cannot rely on these packages completely. Also, you have to be very careful about the packages you choose! Some packages might intercept core functions to funnel information out of your application. This means that you should always have a look at the source code of the package before you install it.
This topic is usually an oversight to novice Meteor developers, and yet it is one of the most important topics to know about. To secure our webapp we need to:
Define roles (set distinctions between users)
Define schemas for every collection (limit how they can modify fields)
Define deny rules (limit who can modify fields)
Use methods, when necessary, to check parameters (ensure complex security when needed)
Set browser policies