[Zope] AUTHENTICATED_USER insecure. But how insecure?

[Heimo Laukkanen]

"SecurityGetUser = Return the current user object. This is normally the 
same as the REQUEST.AUTHENTICATED_USER  object. However, the 
AUTHENTICATED_USER object is insecure since it can be replaced"

This is something that has been confusing me, since it is never 
explained. How much I should worry about that REQUEST.AUTHENTICATED_USER 
is changed - and is there much performance downside or something else 
for using the SecurityGetUser -- which goes all the way back to the 
Security Manager to get the user.

-huima