GeoJSON shares security issues common to all JSON content types. See [RFC7159] Section 12 for additional information. GeoJSON does not provide executable content.
GeoJSON does not provide privacy or integrity services. If sensitive data requires privacy or integrity protection, those must be provided by the transport — for example TLS or HTTPS. There will be cases in which stored data need protection, which is out of scope for this document.
As with other geographic data formats, e.g., [KMLv2.2], providing details about the locations of sensitive persons, animals, habitats, and facilities can expose them to unauthorized tracking or injury. Data providers should recognize the risk of inadvertantly identifying individuals if locations in anonymized datasets are not adequately skewed or not sufficiently fuzzed [Sweeney] and recognize that the effectiveness of location obscuration is limited by a number of factors and is unlikely to be an effective defense against a determined attack [RFC6772].
GeoJSON texts should follow the constraints of I-JSON [RFC7493] for maximum interoperability.
The size of a GeoJSON text in bytes is a major interoperability consideration and precision of coordinate values has a large impact on the size of texts. A GeoJSON text containing many detailed polygons can be inflated almost by a factor of two by increasing coordinate precision from 6 to 15 decimal places. For geographic coordinates with units of degrees, 6 decimal places (a default common in, e.g., sprintf) amounts to about 10 centimeters, a precision well within that of current GPS systems. Implementations should consider the cost of using a greater precision than necessary.
Furthermore the WGS 84 [WGS84] datum is a relatively coarse approximation of the geoid; with the height varying by up to 5m (but generally between 2 and 3 meters) higher or lower relative to a surface parallel to Earth's mean sea level.