Add security considerations

proposals/2966-oauth2-dynamic-registration.md

@@ -231,7 +231,15 @@ This approach has the advantage of being able to use the same `client_id` for di
 
 ## Security considerations
 
-TBD
+The restrictions on the metadata values laid out in this MSC are a best effort to prevent client impersonation, but they are not flawless.
+
+For web clients, it relies on the client's ability to prove ownership of the redirect URI, which can be guranteed to some extent by sane DNS management and its use of TLS.
+If the client a client-related domain name hosts an open redirector, it could be used to impersonate the client.
+
+For native clients, because they can use private-use URI schemes and localhost redirectors, it relies more on the underlying operating system's security model, and their application distribution model.
+A good example of this is if a mobile client distributed through an app store registers the `app.acme.corp:` scheme in an effort to impersonate "ACME Corp"'s app, then that "ACME Corp" would have a valid case to take down the malicious app off the app store.
+
+In both cases, it is crucial for the server strictly enforce those restrictions, and to show as much information about the client as possible to the user so that they can make an informed decision.
 
 ## Unstable prefix