Exposing memcached (or riak or whatever) is operational malpractice.
For efficiency, though, memcached explicitly decided not to handle that kind of filtering itself, e.g. by having the memcached config file take a list of IPs of other memcached servers to talk to (defaulting to none), or including some kind of auth mechanism, and instead relies on the system firewall for that. That's a reasonable design decision, but increasingly unusual. Most servers these days see the system firewall as a backup level of defense, not the primary one, and aim to be secure even when unfirewalled.
If a memcached was bound to non-public interface then it wouldn't be reachable from the internet (and you'd have to explicitly configure it as such). However, if you're running the cache and the app on separate machines, the cache will need to be reachable. For poorly thought out deployments this means publicly reachable.