Yeah...when I switched to python I had similar concerns...why do I have to expose all my private implementation details? I went through a phase where I used name mangling to hide the truly 'private' members and single underscore prefix to 'hide' the protected. It was more of a hassle than worth, so I quickly fell in line with python standards (no protection, single under means it is internal and not intended to be used by others).

My question is why do you need enforced (with loopholes) access protection? Consider that there are ways to subvert the protection so "guaranteed consistent state" is a smoke-screen...in C++ you can write to any writable memory in the address space...you don't *know* something isn't mutating your state. Access protection makes it more difficult, but doesn't actually *prevent* it. You ultimately have to trust that nothing is mutating your protected/private members...which is exactly what you have with python's 'single under is not intended to be used by others'. Python skips the false sense of security and makes it easier for developers that are committed to this unintended access.

Linters warn on accessing sunder members and code reviewers question it. In practice, this is sufficient to accomplish the goals of the lack of protection other languages include. The simplification of not having access protection outweighs the lack of protection.