Comment by jorams

The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].

I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.

Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:

    filter_input(INPUT_POST, 'name');

[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...