Seems I've found yet another bug. If a user is signed in and selects "Sign out", a page appears saying "You are signed out" and "We have signed you out and will go to our homepage in 5 seconds".
After the redirect to the home page, the user is still logged in. They can click on the welcome message and view thier account details for example.
We simply can't go live with a system that doesn't correctly sign out users. This is a huge violation of a users privacy and security. If they were shopping from a shared computer, all of thier personal information including billing and shipping addresses (which are likely to be thier home address) would be visible to the next person who strolls into the internet cafe.
When will Magento fix this? Has anyone found a work-around?
It would be more efficient for you to describe the issue in the official issue tracker: https://github.com/magento/magento2/issues
I've done some experimenting and this only happens when Stores>Configuration>Customers>Persistent Shopping Cart>Persist Shopping Cart is set to Yes.