So here's a fun test I tried. I work at a corp that has a public wifi hotspot (wanderingwifi).
I disconnected my system from ethernet and connected it to the public hotspot. Steam loaded up the splash page right inside of the store page window. I did some further investigation, the browser is detected as chrome 47 under windows 8. Being as the current version of chrome is 50 I can only imagine the exploits that are available for the version that's used for steam.
Good luck getting GabeN to do anything about it though; valve customer service is a disgrace to the IT industry.