In a comment on #576, @duerst noted:

I think this is all okay, except when it comes to security considerations. Somewhere in the spec, the fact that a message can contain arbitrary control characters should be clearly called out as a security issue.

This issue is to track this and other items to consider for a security considerations section of the spec, should we decide we need to create one. Add suggestions below.

Fixed in #588. Use new issues to request additional security considerations.