The first one is how easy it is to create a fake transaction and transmit it to the whole blockchain without it being instantly detected as fake.
Years ago I saw a scam in which Blockchain.info's block explorer showed transactions as real, but they weren't in any other block explorers and they never confirmed. I don't know how it was done, and clearly it's one of the many bugs that site has, but it made it much easier to trick people.
The problem I see is that a malicious customer may already send you unconfirmed input. And even if the fee in your direction is just fine, the unconfirmed parent has a very low fee and has a good chance to get double spent. And when the parent is double spent, the children will become invalid.
Anyone who accepts zero-confirmation transactions should at least check if all inputs are confirmed.