This is intended behavior and is documented in the threat model as being out of scope for what Consul’s security controls attempt to protect against.
The following are not part of the threat model for server agents:
Access (read or write) to the Consul data directory - All Consul servers, including non-leaders, persist the full set of Consul state to this directory. The data includes all KV, service registrations, ACL tokens, Connect CA configuration, and more. Any read or write to this directory allows an attacker to access and tamper with that data.
In order to reduce the risk that this data is improperly accessed, you should take measures to restrict access to the server OS to authorized users, utilize Unix file permissions to control the which account(s) have access to Consul’s data, and use file system encryption to protect Consul’s data-at-rest.