Why is "Everyone" security principal automatically assigned READ to tenant OneDrive for Business root site?

Question

1. Why are the "Everyone" and "Everyone except external users" security principals automatically directly assigned the READ permission level to the OneDrive for Business root site (format "[tenant name]-my.sharepoint.com") on tenant creation?
2. Can these security principals be removed without adversely impacting user access to their own OneDrives for business?
3. Microsoft is currently running logic to detect and remove the EEEU permission from the root site of each user’s OneDrive and the default document library in OneDrive (see: MC1013464: We will remove the EEEU sharing permission from root web and default document library in OneDrive’s). Will this effort by Microsoft also impact the "Everyone" and "Everyone except external users" security principals directly assigned the READ permission level to the OneDrive for Business root site?

Answer 1

It's how SPO/ODFB is designed, you need those claims to ensure access to some "system" components. Of course it didnt help that Microsoft decided to also leverage those for sharing, back when their mantra was "sharing should be as easy as possible, and with anyone". Since then, they've tightened control a bit, and afaik those should not be the defaults for any new tenants. You still have the option to enable them, but manually via Set-SPOTenant. Even if permission entries exists for said audiences, they should be limited, and the effort you referred to above should result in a further cleanup.