cloud-initramfs-rescuevol:
I see no sane problems with this. If an attacker is in a position to be attaching volumes and rebooting, there are all kinds of other insane stuff they could do too.
The only thing I see as remotely "funny" would be what you outlined in email -- if they somehow have access to the label of an attached device and can trigger a reboot. But ... again, this falls into an existing vulnerability category.
cloud-initramfs -growroot: seems fine.
cloud-initramfs -rescuevol:
I see no sane problems with this. If an attacker is in a position to be attaching volumes and rebooting, there are all kinds of other insane stuff they could do too.
The only thing I see as remotely "funny" would be what you outlined in email -- if they somehow have access to the label of an attached device and can trigger a reboot. But ... again, this falls into an existing vulnerability category.
I don't think it's a problem at all.
+1