A malicious user could enter something along the line:
var update = {}
for (i = 0; i < 99999; i++) {
update["profile.trash"+i] = "fehdskfcfknscfdshiufxmiwfehdskfcfknscfdshiufxmiwfehds";
}
Meteor.users.update(Meteor.userId(), { $set: update })
Couldn’t a user do this until the max doc size is reached? Or is there something like a property limit for an Object field in MongoDB?
Also who want’s to send unnecessary data over the wire when you have a few users who play with the client’s console?