This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
I suggest adding in G.6 Security Considerations At the end of the first paragaph (Queries written in XQuery may cause arbitrary...) add, [[ The XPath 3.1 fn:transform() functions allows calls to URI-identified XSLT transformations which may in turn call external system functions and access or write to the file system. The fn:transform() function should be sandboxed or disabled if untrusted queries are run. ]] The appendix already mentions fn:put() so no change needed there.