The specification should provide a Security Considerations section as known from many other specifications. I know that there a many hints and considerations inside the individual sections, but a separate section would increase readability.

For example, it is very important to use capability URLs to avoid unwanted updates from an attacker.

Additional resources:

• Self-Review Questionnaire: Security and Privacy

Please let me know what you think of this PR.

Based on your comments in the PR @depressiveRobot, I'll close this as accepted.