Email reports in Matomo can be abused to send many emails. For example by creating a scheduled email report, then adding a few dozens (or more) email addresses (for example fake, or real), and then clicking "Send Report Now". The email report will be sent to all email addresses. The button can be clicked again and again. This fake email can be triggered every day as well.
Somehow it would be good to implement rate limiting. But not sure how the rate limiting should work...
Maybe an even better (even though complexer to implement) solution would be to require an opt-in for all emails (similar to https://github.com/matomo-org/matomo/issues/13533)
So if you add an email to a report, it only gets added after the user clicked on a confirmation link.