Thanks! Isolating user content is the next task on the list — we discussed it internally just yesterday. Unfortunately, we didn't think we'll need it /that/ soon.

Long-term, we definitely need more security-minded folks on the team.

Short-term, I will add an email address in the footer so that such issues can at least be reported privately.