Apparently there are, because if I turn them on my "inbound" connections go from 20-50 to 120-200 . And over a typical days time I would serve out 30-40GB where in the last 24hrs on 0.19.1 with them off i've served 8gb.
That sounds like a DOS attack, to be honest. I usually see weeks pass without a single connection from an actual SPV client, though there are bunch of shitty spy things that pretend to be them. It absolutely shouldn't be making remotely that kind of difference.
uh, also, 125 is the maximum connections.
Correct me if I'm wrong, but after reading some material on it, the privacy risk seems to be the clients and not mine, the risk is if I was running a node with intent to do something with that info the SPV clients expose to me.
The only issue it exposes you to are DOS attacks and any bugs in that functionality... though bugs seem fairly unlikely at that point. The DOS attack issues have been exploited in the wild, so for a rarely used and not very useful functionality.