One issue I've noticed with the RP and OACS's combined
tcl/adp/xql page structure is that the RP makes no effort to hide
the files that shouldn't be visible to browsers , so for example
http://foo.com/index.xql will happily pass your query files back to
whoever requests them.
This isn't on the face of it a particularly serious issue, but it's a bit
of information leakage that I'd be happier without. I keep
meaning to have a dig in the RP and fix it, but haven't put the time
aside yet...