Good question. The problem is that the Flash request starts a new session on the server, so you lose your authentication unless you apply some trickery. The trickery doesn't always work, which is why the next best option is to disable the authentication and route the upload to a publicly exposed controller.
If you look at UploadifyUploader.php, you'll see it's a public controller that, in theory, could be gamed to add files to your system. It's unlikely, but possible. If someone created a post request containing "Filedata" and "FolderID", it could be used maliciously, especially if someone was able to upload a script. But in reality you should not have execute permissions on user uploaded files, anyway. Many websites have public-facing forms that feature uploads and deal with these issues all the time.
So that's pretty much it. I'm always looking for better ways to do this, but until HTML5 gets more support, we're kind of stuck with the plethora of concessions we make for Flash originated uploads.
--------------------
SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com