Is there any good reason why the default for this tag would be yes? It seems to be that it should almost always be no. I am missing something?
If I recall correctly, the only reason for it being that way is for some backward compatibility issues way back in something like version 1.0 where originally, you had to always pass that information around to maintain your application state.
When the technology moved on, they added the addtoken attribute but left the default so it wouldn't break a bunch of existing code. Now, it's sort of like our appendix and is not used for much. They could probably change the default at this point without much impact.
Allaire, Macromedia and now Adobe are all very keen on maintaining backwards compatibility of feature in the language, so this is probably why its still set this way.
I expect it wouldn't be considered of particularly high importance to "fix", as its not difficult to add the attribute to your tag and would also be counter to backwards compatibility.
If you feel very strongly about this, why not wish list it? http://www.adobe.com/go/wish/
you can always make your own custom tag or cfc that wraps cflocation and internally just passes the url to a cflocation with the addtoken set to false. it would be easy to then do a find a replace on <cflocation -> <cflocation_nosuck
I proposed a few years ago to Adobe to add a configuration setting for it. Im sure the request is still alive somewhere in their system but pestering them again would be great.
You should record your concern here: COLDFUSION BUG DATABASE http://bit.ly/AFhRy
also
You should bring it to the attention of these guys as well: CFML Advisory Committee http://bit.ly/1fXxX6
commenting further, in older versions of CF, you needed to pass the tokens in the URL to do session related "Stuff" ... as I recall.