I am using Plans (Advanced Roadmap) and I have noticed a security problem.

Plans (Advanced Roadmap) overrides any controls that are set in JIRA. If you have a custom fields that are not editable in JIRA, with Plans (Advanced Roadmap) is anyway possible!

The security problem is that if you use a Security Level based on a user picker field, and this is editable by anyone with Advanced Roadmap it is possible to make visible issues that normally would not be visible on Jira or are protected by some condition rules.

Additionally, if a custom field is made non-editable by removing it from the edit issue screen, changes to the field value is still possible via Plans (Advanced Roadmap)