If a Gnosis Safe is used as a primary account, the risk profile is equivalent to an EOA signing to an invoker. A bug in either could be exploited to take over the user’s entire account.
Users may explicitly sign a message to allow additional functionality of their wallet. It is opt-in though, just like deploying a smart contract wallet.
I recommend reading my post Validation Focused Smart Contract Wallets, as I’ve addressed how EIP-3074 is future-compatible with a world where users can revoke invokers, change wallets, etc.