Static default wpa_passphrase for SoftAP and user debian is a huge security risk
The combination of a default static wpa_passphrase and a default password for user debian (with sudo access) is a HUGE security issue. Many users will not be aware that SoftAp0 defaults to active with known credentials. Whatever mechanism being used to generate the XXXX end of the SSID for the SoftAP should at least also be used to generate better default passwords.
If Ethernet is also connected, the BeaglePlay becomes an insecure bridge to the LAN from outside.
The Quick Start Guide should warn the user to set new passwords first thing.
The easy out of the box experience must not subvert security.