Once the model is loaded by the controller all model methods are exposed to view

This is not a security threat, it is the "CodeIgniter 3 way".

$this->load->view(...) builds an "include" argument, and "includes" it, which is why all of the controller properties (including models) are accessible inside the view.

There are measures to prevent it being a threat ... .htaccess rules inside the application & system folders, as well as the "defined('BASEPATH') OR exit('No direct script access allowed');" snippet at the beginning of each file.
We also suggest creating a "public" folder, and moving index.php there, for improved security in the case of a mis-configured app.

If a *developer* so chooses, yes they can access models directly. On the other hand, if they only rely on data passed as a parameter to the load->view, then they have better separation of concerns.

By the way, our website and repository are quite clear on the procedure for reporting security concerns - through an email to our security team, or through a report on hackerone.com, *not* through a message on a public forum!