The /etc/security/default_contexts file is mildly insecure as the default login role/context is sysadm_r:sysadm_t, followed by staff_r:staff_t and then user_r:user_t. Users whom have staff/sysadm rights should not have these by default upon login. That makes it too easy to just be lazy and accept the default, and end up doing normal user stuff they shouldn't be doing with those roles/contexts.
additionally, is there a way to specify per-use what the default context(s) are? this would aid in support of primary roles in bug #120571. also would allow the login contexts to be a little more "obvious", in that normal users with access to enhanced roles would still be normal users as default, while a login as root could default to sysadm_r:sysadm_t which probably makes more sense and is closer to what users would expect.
This has been fixed in the upcoming policy package. As for per-user defaults: yes, the user's .default-contexts file.