Comment 15 for bug 1892852

It looks to me like change https://review.opendev.org/742193 and subsequent review discussion spells out the security risks fairly clearly, so this is basically a publicly known issue at this point. Since I have seen no objections to my proposal in comment #12 two weeks ago, I'm switching this report to Public Security so that it can weigh more clearly in any discussion of proposed fixes or mitigations.