Hello @mamoen good question!
Yes! this behaviour is expected. By default development mode enables unauthenticated SSH logins unless custom SSH keys are present, in which case SSH key access is enforced.
Also, development mode provides serial console passwordless login as well as an exposed balena engine socket to use in local mode development.
To move to production mode, did you try to change "developmentMode": true to false?
On the other hand, this feature request matches your second question? SSH Key management in BalenaCloud · Balena Roadmap
Let me know if this works!