John, Comcast actually started launching these hotspots since 2010. What they didn't officially say until mid 2013 was that it was actually using individual customers' in home gateway/router devices for broadcasting the hotspot signals. The only thing new this time was that they're now launching it in the "middle" states. The following are article links to PC Mag in chronological order.
Hotspots launch in the East Coast, 2010
Hotspots launch in the West Coast, 2012
Official announcement of neighborhood hotspots, 2013
PC Mag article about concerns for Xfinity hotspots, 2014
Notice the first two press releases did not mention explicitly what the hotspots were broadcasting from. The hotspot name has always been "xfinitywifi". It has also been known for a long while, that their wireless gateway routers were locked in the firmware level to prevent users from turning off Wifi completely through the web interface. Those plus some indications in older user comments about their devices and services in various networking forums, there's a strong reason to believe that they've already been using in home devices for hotspots as early as 2010.
Most places indicate the device involved in broadcasting the hotspot is the Xfinity Wireless Gateway 1 or 2. It's a telephony / gateway / router, 3 in 1 device, formerly manufactured by SMC, currently by Arris (who bought out Motorola Home). Security is all depending on how good the firmware is separating the hotspot from the user's home LAN. If it's in a separate vLAN with firewall rules to isolate it from the home LAN, then that at least in certain level stops the hotspot user from able to see your computers / devices in your home network. However, no one knows how their firmware is written and whether there's any hole in it that can be exploited. Certainly for a hotspot user, who's already "in" your router, he/she would have an easier time to try to exploit your router.
Good thing not only you can opt out for the hotspot, but you can also call them to switch off the router capability completely (they called it the "bridge mode"). That way it becomes just a cable modem, and you're free to use any wireless router of your choice and free to configure it to any settings you preferred. I think that's the best way to go.
Edit to add: most businesses setup their hotspots using a separate network device. It's separated from their internal LAN, either by using a different ISP provided IP, or through another layer of router / firewall. That ensures a more secure separation between the two networks. In addition, since the business owns the hotspot, they have total control and admin management to the hotspot. They can control what welcome webpage to display to the user, what authentication is needed before the user can begin using the network, what security features to use to isolate each hotspot client, what network usage and duration limits should be enforced, what information is recorded to identify a particular hotspot client (in case of legal obligation), etc.
Comcast on the other hand is using a single network device to achieve this. Unless inside that device, there're two separate router boards with separate firmware and wifi radios (which I highly doubt), there's no comparison to the security of using two devices. In addition, the customers who have the device physically in their premise, have absolutely no management control of the hotspot. They have no clue how the hotspot's separated from their network. They have no clue how many hotspot clients are in use, how much bandwidth they're using and how long they've been connected. The control / ownership of the hotspots is totally from Comcast. Good thing the customers still have control to the power switch. Flip the switch, there wouldn't be any hotspot or network left!
Just like what John said, the customers may still be legally liable for any illegal activity from the hotspot, since the network device is physically located in their premise. To clear the customers from legal responsibility, Comcast would have to keep a log of all their hotspot users' activities, including the physical locations of the hotspots they used, and retain the record for a reasonable period of time in case of any investigation. That could be a massive log, depending on how big their user base will grow for their hotspots.
In addition, since the customers are using their own home to promote more business for Comcast via the hotspot, there should be incentive for them if they opt to do so, such as a significantly reduced bill. Otherwise, there's no reason for the customers to do that.