Intended or security issue?

If I connect to an unprivileged container using lxc-console -n container, enter my login and password, then inside the container I edit a file with vim, then ctrl+a q to exit the console, the next time I do lxc-console -n container in the host I’m directly in my previously exited vim session without being asked for a login / pass

It’s intended. lxc-console attaches you to the container’s console, just like pressing ctrl-alt-f1 would on your machine or just like a serial port would do on a development board.

There’s no way for getty in the container to know that you detached so the session keeps running.
Just like physical consoles, you should logout before moving away from it.

Note that only the owner of the container can use lxc-console, so if you can attach to the console, you can also modify its filesystem, stop it, start it, …