We're dealing with malicious fonts in legal contexts, too. There, the human-visible font tells a different story from its Unicode / machine interpretation in documents like PDF and DOCX[1]. Others have considered the same with web fonts and agents. It's concerning to consider how far things might go if you string together a few exploits and couple them with a binding legal obligation. Or worse, an immediate, irreversable payment.