I observed its likely to operate SQL scripts with Oracle's SQLPlus by supplying merely a username with no password. Is not this just like a horrible breach of any kind of to safeguard Oracle?

Or shall we be held missing something?

Probably, your oracle server has OS Authentication enabled, this essentially informs oracle to trust customers already drenched in to the OS.