As another example I believe is a problem with guest users is the user property API. In the discussion We just added user property APIs in Confluence Cloud - #9 by RonnyWinkler it is explained that once you open an app iframe, you can use AP.request to get and set user properties AS THE APP. There is nothing a connect app can do to prevent a malicious user to do AP.request calls from within the iframe, but it is at least unexpected if a guest user were allowed to set other user’s properties.