scripts running on the page can see the window.qt.webChannelTransport object. This is a security risk since that object is used to implement control of the embedded browser from application code. From reading the source of qwebchannel.js there does not seem to be any security employed while transferring messages. I tried manually setting window.qt = undefined in my injected script and saving private reference to the qt object, but that causes the transport to stop working for some reason.
Also, it would be good if Qt exposed the raw webchanneltransport object on the C++ side, that way we can implement our own communication schemes without having to rely on QWebChannel (which is a pretty awkward interface).
Currently, one could run a private websocket server to get around both these problems, but that is sub-optimal for obvious reasons.