Sadly, I found out the hard way...
cPanel DNS clusters allow axfr requests to all domains by default. Therefore every person on the internet can get a full list of records for my domain, even if I don't want them to.
How do I fix this ASAP?
I tried this on several other cPanel servers, they all do the same thing.