Content Security: QOM rewriting is omitted if used in certain cases in an Action Controller
The QOM Query Rewriting Aspect checks if the security context is initialized. If it is not yet initialized, it will suspend query rewriting and just proceed to call the execute() or count() method.
This may be a problem because it is not defined when the security context is initialized. It can does happen that if no getRole() etc. methods have been called previously (no user is logged in), content is shown which must not be visible.
This issue is, however, quite predictable and becomes apparent during development already.