This sounds like a vague generalization about an entire technology category, not a useful answer. If you have any specific points about the security of the Sync Gateway, please let us know in detail; we take security quite seriously.
The Sync Gateway’s APIs are definitely security-conscious, since part of its job is to act as a gatekeeper between the outside world and Couchbase Server. The public APIs all require authentication (unless you’ve explicitly enabled the Guest account.) The admin APIs run on a separate port that’s by default bound only to the loopback interface, so it would take explicit action (not an accident) to expose them.
As for encryption, the Gateway has native support for SSL, or can of course easily be placed behind a proxy that adds SSL. It also uses the secure bcrypt procedure to hash passwords.
—Jens