In CBOR, Extended Diagnostic Notation (EDN) is a diagnostic format, that is used to facilitate documentation and debugging. 

RFC8949, section 8, explicitly states these diagnostics are not meant to be parsed, which means that these diagnostics do not introduce any new security issues.

This document describes how to add application specific extensions to EDN. The security section of this draft does not discuss the implication of this directly, but instead points to RFC8610 and RFC8949. Because, as stated above, these diagnostics are not meant to be parsed, this document implies that there are no new security implications associated with these new extensions.

If this is the case, it would be nice to add a sentence or two to help the reader get to this conclusion directly, instead of just pointing the reader to the other documents.