Yes, it's technically true that anyone could run the upgrade, however it's not really a security hole.
Firstly, your visitors will never see the upgrade page unless the plugin causes an error on the front end of the site. So nothing will happen unless a visitor specifically visits the URL (which is only linked from admin, nowhere else) in the few seconds between you activating the plugin and clicking the upgrade link yourself.
Secondly, it only does database upgrades as defined by the plugin (or core Q2A in the case of a Q2A version upgrade). There is no way for someone to change the queries being run so they cannot add or delete whatever they want.
See this page from the docs for more details, and a server solution to ensure only you can do the upgrade.