Sharing an xpub is also a security risk, due to being able to derive all private keys from an xpub and a single private key.
If, and only if, the recipient also obtains a single private key from your wallet, the recipient can obtain all your private keys and steal your funds, just as if they had your xprv key.
As far as I know, this only applies to non-hardened derivation schemes, where it is possible to calculate parent keys by combining chain code with the child's private keys. In the case where the derivation process is hardened, an attacker would need your master private keys to calculate child keys, or parent private key to calculate a child key. All backward derivation won't be possible when derivation is hardened. In the case of silent payments, however, you don't share your xpub at all, replacing it with a deterministically derived silent payment address, which is basically a hash of a public key (not a master public key) encoded in a special format. In the latest implementation, it was proposed that silent payment addresses should start with the "sp1" prefix.