An interesting point came up on IRC…
What happens if someone submits data to your application via a fake form?
How can you ensure that a malicious user will not simply save some unwanted data by filling your $this->data array with things you don’t want there? For example, by sending an “extra” field, one could post $this->data['User']['id'] = 5; and trigger an update instead of save… well you can use your imagination to come up with some other evil tricks.
A simple solution is to ensure that you pass a third parameter to your save() method. If you take a look at the API, you’ll see that save() will allow you to specify a list of fields, which you know should be saved, the rest will be ignored.
P.S. Additional security for your forms (and ultimately your data) can be achieved with the Security component.