The Fragmention specification needs a Security and Privacy Considerations section, perhaps right after the Processing Model section.
At a minimum this section should describe any changes to security or privacy caused by the processing model changes. E.g. revealing to the destination page a phrase or range of text that may have some importance for the user that clicked the fragmention link.
In addition this new section should answer the Security and Privacy Questionnaire from the W3C TAG: https://www.w3.org/TR/security-privacy-questionnaire/