We don't know either way, but a standard Postgres install doesn't let remote connections do much. You still have to authenticate before anything is allowed. It's not much different to sshd in this regard. A typical web server is far more promiscuous, with a massive surface area exposed to unauthenticated connections. There have been way more disasters from buggy web frameworks/apps that get systematically popped by crawlers, than from people running RDBMS.