yeah that would have helped, but the issue was really that either the default RBAC for contacts when using "salesforce sites" was either Public from what I remember or it was one of those things that required a lot more proper setup and people usually would "get back to it later" and never did.

So now, you have all your contacts available for unauthorized users to read, and since they provide automatic "list" pages as /<first 3 chars of record> you automatically get a nice table interface for anyone to scrape.