AppData and security
Because AppData is separate from the content item to which it is attached, it is not subject to the same security restrictions as the content item.
This means that users who may not have, say, write access to the content item itself, could still update its AppData. If you want the AppData to be subject to the same security restrictions as the item itself, implement an Event Handler that triggers when a piece of AppData is saved, and verifies that the user performing the save has write permissions for the corresponding content item. If the user does not have those permissions, saving the AppData should fail.