There was indeed a discussion about (eventually) only allowing extracting content from JIRA instances that Applinks knows about. This is good for miultiple reasons. At the same time this is a big task, especially the migration part of it, since the macro's behaviour will change significantly. We hope to do this at some point in the future, with no specific plans at the moment.
How bad it is to allow rendering HTML in custom fields: not only a random JIRA instance can be used to embed arbitrary content into your Confluence - any web server that produces XML parseable by the JIRA issues macro will do. Basically this turns your Confluence into a proxy for arbitrary external content, which in turn can be used e.g for downloading malware or stealing your data.
We are in the process of improving security of the default setup of our products, since they are more and more often used on the Internet, as opposed to strictly on-premises behind a firewall. OnDemand is also a huge driver here. This process can, in a few cases like this, lead to inconvenience where the initial setup of a component (a macro) was less secure to start with.
One of the ways out of the conundrum will be for us to introduce a magic configuration setting in the product - "am I on the internet?". It would permit a number of options that are unacceptable in the Internet scenario. This will not be happening soon, but check back in 6 months or so.
By the way, if you find a security vulnerability that has not been fixed, please do not discuss it here and follow How to report a security issue instead.