Let’s get straight to the point. From official documentation it states that “To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) by default. Then, you should configure rules that grant access to traffic from specific vnets. This configuration enables you to build a secure network boundary for your applications”.
Navigate to your storage account, what is the default setting? It is shown below.
Even if you have a multi-layer approach to security you should still be granular and use selected networks and map in the relevant vnets only as shown below.
You may have also noticed that you can define access to the account by IP addresses and only those addresses will have access. I am actually not sure why the “all access” setting would be the default.