Yes, there is a way to break “security”. Another user on the same home computer or terminal server can create an own database, make its file readable by other users, open H2 Console launched by another user and connect to it.
H2 Console and TCP/PG servers need better security model, we discussed it some time ago, but it is still not implemented.
In terms of usability there are many issues when people use relative URLs with another base directory or in-memory database in another process and get confused why their database is empty. Now a correct error message appears.
Other people are now required to do more steps to create a new database from Console.
We need more intuitive interface for it and reasonable security configuration by default. Personally I don't think that H2 Console should allow unlimited access from sessions of other users without explicit permission from Console's owner.