Interesting explanation of JSON security
If you have partial control over some of the JSON data it’s possible to steal the data by manipulating it using UTF-7
[…]
If you are pen testing JSON feeds make sure the web site in question prevents external inclusion of the data via script or even better recommend the site does not expose the data publicly if privacy will be compromised. Twitter solved the information disclosure problem by requiring authentication for its JSON and other feeds consider doing the same if the data has to be exposed.