None, except when you're taking a huge shortcut. Which is why you want to be super cautious about using Pickle, or Java serialization, or any serialization solution that deserializes arbitrary objects. Once your deserialization isn't explicit about what objects you accept, you have to be super careful about the provenance of that data.