Adding a required profile to Drupal user registration allows unauthenticated users to alter contact data

Summary: if you add a CiviCRM profile and make it a requirement for Drupal user registration, AND you have Drupal user registration set to "Visitors can create accounts but administrator approval is required" ... if a user registers a Drupal account with an email address that already exists in the CiviCRM database, it will update the CiviCRM contact, even though their Drupal user account is in a "blocked" state. What this means is that any unauthenticated person can modify the contact data of anyone in the CiviCRM database only by knowing their email address.

One possible solution is to never display a required CiviCRM profile on the Drupal user registration page when admin approval is required for the registering a Drupal user. Perhaps the form where one adds the profile as required to the registration page should check this Drupal setting in the formRule() function or something similar, and prevent a user from making that setting as long as Drupal user registration is moderated.

But even that aside, it seems dangerous to allow any unverified/unauthenticated person modify contact data, either accidentally or maliciously, simply be registering a Drupal user.