General:
For a reporting specification, the Security Considerations are by definition any risks of unwanted information disclosures. So that is where attention needs to be given.
Operational experience:
I don't have specific knowledge of the information gathering strategies of malicious actors.
When evaluating my reports, I noted that some sources were reporting significantly fewer messages than were sent out. I have specific knowledge about one of those vendors. They offer different filtering products to different clients, and they allow clients to choose whether DMARC is evaluated or not.
So this is what I concluded from that knowledge:
If a server farm hosts DomainA and DomainB, and I only get DMARC aggregate reports when I send to DomainA, then I can conclude that DomainB is not evaluating DMARC and is therefore more vulnerable to impersonation attacks than DomainA.
I think that knowledge is valuable to bad guys, so I think it is worth a warning in our spec.
The problem with this warning is that if people act on it, the volume of reporting might decrease noticeably.