No extra security concerns at all. In fact, that's one reason I decided to write the function. This function uses bind variable and, although it does concatenate on unescaped column names, those columns names are defined by the developer at design time, not run time, and they can't be changed at run time. The only security concern is with the developer, which is the same as it is for a hard coded query.