there's the theoretical security concern over someone getting the key and setting it up on a new domain, but they'd also have to have access to your DNS to create that domain, or be able to do dns injection with their targets. i'm not sure how many actual real-world scenarios that's actually happened. probably more than zero, but nothing in security is zero, so 🤷