Not as bad as you might think because in 4.6.3, our latest release version, 0 isn't really a user just a party, so queries expecting a user will normally return zero rows when they join to that table.
However it does mean that random visitors can probably add content here and there. And can see content you'd normally only allow registered users to see, like user info pages with e-mail - a spammer might find this useful if they knew about the hole.
Should be easy to fix...
