These are great for "data smuggling" attacks where one layer of code assumes the length is 'x' and another layer assumes it is 'y'.

It makes hybrids like this very dangerous for anything even remotely security-adjacent, such as roles, tokens, etc.

This kind of thing caused the CVE-2009-2408 and CVE-2009-2510 "Null Truncation in X.509 Common Name Vulnerability."