What should they do? It’s a valid use case made with valid transactions. Creating a CVE for a setting everyone can change freely is extremely embarrassing