There's a nice paper at https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf showing how server-side contact discovery APIs can be abused. The exploits don't directly attack this API, but developers using this API need to know that they should defend against them. A security considerations section in this spec seems like a good place to warn people.