While this is true, that is true for many applications. If the attacker already has access to the file system it is far too late to worry about your database server. In unix-type operating systems, the configuration file should be accessible only as root (as it is in
/etc/mongodb/mongodb.conf). If the attacker has root privileges to change that file, you're boned anyway. Alternatively, the attacker could simply copy the underlying database-files, run his own mongo database server and create his own user or use it without authentication to get to your data. To prevent this, only the user that the database runs under should have access to those files.
So the issue, in this case, isn't mongo, but the security of the whole system and the stack of controls, of which securing the configuration file is one. Authentication checking is useful only when the access is coming from outside and can't be bypassed.