Package locks protect against unintentional modifications of a package:
they provide similar protection to user packages as is mandated to
common-lisp package by the ANSI specification. They are not, and
should not be used as, a security measure.
Newly created packages are by default unlocked (see the
common-lisp and SBCL internal implementation
packages are locked by default, including
It may be beneficial to lock
common-lisp-user as well, to
ensure that various libraries don't pollute it without asking,
but this is not currently done by default.