Jeremy, I probably wouldn't limit the impact statement as you mention. We've focused on disk devices being re-used or exposed, but other things in the XML could provide exposure regardless of the disk config. Something like a NIC being placed on the wrong network, with the wrong MAC, even down to something like re-using a PCI device or GPU (this is a stretch, but...) which could have some sort of risk.
Jeremy, I probably wouldn't limit the impact statement as you mention. We've focused on disk devices being re-used or exposed, but other things in the XML could provide exposure regardless of the disk config. Something like a NIC being placed on the wrong network, with the wrong MAC, even down to something like re-using a PCI device or GPU (this is a stretch, but...) which could have some sort of risk.