We have always left master as default, as no users have any permissions there, and so far no sysadmin has done any harm; but I see the point, and perhaps we should consider using tempdb instead. We do have a few applications that are using JDBC and have no editable connection string for specifying the database, so we have to set the default as the relevant application database. And we recently discovered a live app that had set its default as the demo version of its database - so it stopped when we dropped the demo (unusual; but easily remedied).