Currently, guest users have the block/online_users:viewlist capability in the system context by default, which means they can see the list of online users, which may cause some privacy concerns.
It seems like a better approach would be to update the default for new sites, so that capability is prohibited on guest users by default. Site admins can enable it if they see fit, but it means the information isn't automatically shared.
A guest is able to see the list of online users. There is no way to avoid it. Even if you remove the block from the frontpage, the guest can manually browse to /my/ and there the block can not be removed. If you can't apply the patch I will supply then you may need to disable to block for the entire site.