Comment 55 for bug 521533

I don't want my previous response to be taken as a vote for the status quo. The behavior I would expect is:

1. If I don't hit save my work disappears.(*) The current application does not have a save function (as distinct from save as), and I'm pretty sure that if I fill in a form, exit, and then open the form my old values will still be there. Worse, if someone else using the same account opens the form, they will see my info.

2. If I do save (not just save as) my work will be saved with the file.

In this case I might not expect, but would be pleased if
3. there were an option to save the form data to a separate file and restore it from a separate file. I'd guess such a facility is consistent with the 1600 page XFA spec, though I can't say I know where :)

Because the current behavior violates these expectations, it is a security risk. Someone's personal information may be exposed in ways unanticipated, and operations that usually assure security, like not saving a file or deleting it, will not work. And operations that are expected to reveal info, like copying/mailing a pdf or operating on it with a different program, may instead conceal/disappear the information.

(*) Some usability experts argue that "work disappears if I don't save" is not the expectation of the lay user, and that our current model of "you must save to keep your work" is aggravating and unintuitive to them. That may well be correct. But unless the surrounding programs all start behaving this way, this behavior is undesirable. An application that may be dealing with sensitive private information is not the place to pioneer new interface models.