As someone who just finished a major site migration onto Drupal 7 I'm not even slightly surprised. This was my favorite:
https://www.drupal.org/node/2001308
Files attached to nodes arbitrarily deleted if you have the "display" box unchecked and make the mistake of previewing edits before saving them.
It's not just core you need to worry about either, you need to think about all those modules you require to even do something as simple as manage attached media files. It's totally possible for some idiot module developer to completely bypass all the "security" that's built into core, and it seems like half of them did.