Cache-Control: public is totally normal. This website has the same policies. The only time this wouldn’t apply is if you’re loading sensitive assets on a per user basis.
I suspect that not setting “public” would simply default to being read as if it were “public” anyway (requires fact checking).
public: Indicates that the response MAY be cached by any cache, even if it would normally be non-cacheable or cacheable only within a non- shared cache.
private: Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the
no-cache: If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.