It is possible to launch a Friends/Friends+, or Group Public instance under someone else's name without needing their credentials. This could be used in malicious ways.

For example, a group may only allow their group moderators to launch new instances, but it is possible that anyone can launch a group public instance, and even under someone else's name who is not a group moderator - and all it takes is the launch URL.

A malicious user could use a world that contains exploits to steal user data, for example, and create a group public instance without any perms needed to create a sense of trust of a group's members to go visit it, who may think it is a legitimate instance by the group.