While this article is primarily about enterprise business applications, many of the same risks apply to Node-RED if an instance is exposed to the internet.
https://www.linkedin.com/pulse/top-1...-risks-apekai/
https://www.linkedin.com/pulse/top-1...-risks-apekai/