There might be security considerations related to injecting packets during compatible VN. They may not be worse than other Initial injection attacks, but think it through.

The only packets that a client might accept are in versions that are compatible and supported by the client.

In practice however, a client will accept packets in any version prior to fixating on a version. My implementation will accept any compatible version for Initial packets until it receives a CRYPTO frame, at which point it fixates on that version. That means that what it will accept is limited to ACKs and path validation. Any attack on these can be mounted on a single QUIC version without compatible version negotiation.

If a compatible version is broken and the client is willing to use that version, then it will be vulnerable to attack. That's the new attack here.

I believe this is correct.