Thanks for the response. While I agree that pinning to the patch version is theoretically the safest default, I suspect many less experienced users simply push “Copy This Code” without understanding the ramifications. Those users won’t receive bug fixes without explicitly modifying their YAML.
I would argue that if the orb developer is practicing semver properly, the end user should not be concerned with the particular patch version they are using (or even the minor version). In fact they should always want the latest patch version given that it will include the most bug fixes. A patch release (in theory) should not break a build. I see your point though that all devs may not be as strict about following semver.
I think another point to consider is that many orbs call out to external services (e.g. to download or upload files), so they are not really super self-contained units. In these cases, even pinning to a patch version won’t guarantee things don’t shift on you. I think you’re actually better off not pinning to a patch so the dev can fix things if the external service begins to fail.