Privacy considerations on request_uri

[paulbastian]

In the current state, according to RFC9101, the Wallet must fetch the Request Object from request_uri without having any means to verify the identity and authenticity of the Verifier. The request for this object therefore may leak data to the Verifier without the User knowing that or giving consent.

Is this something that should be stated in a privacy consideration section?