Without an IOMMU it's a gigantic security risk. I don't know that withholding documentation does anything to slow that down in practice but I wonder if it's somehow part of the obscurity.
Intel continued to use the IOMMU feature for product segmentation on mainstream desktop and laptop processors launched as late as 2015, and they've continued to launch Atom-based processors lacking an IOMMU as recently as one year ago. Most systems new enough and powerful enough to support Thunderbolt should at least be free of Intel's arbitrary restrictions on IOMMU capability, but that doesn't mean the firmware and OS actually set it up to provide real security.
No systems with TB have any of these restrictions as VT-d was supported by all platforms that support TB since DMA and Interrupt remapping is required for TB to operate.
