Because it doesn't look like it will be repaired any time soon... Let's at least warn people.

The -C flag is implemented with the unsafe ":utf8" layer instead of the safe ":encoding(utf8)" layer. Therefore, -CI, -CS, -Ci, -CD, and their numeric equivalents, are potential security risks.

Likewise, -CA is implemented by setting the SvUTF8 flag (like _utf8_on) and should also be avoided.

• Instead of -CI, use: binmode STDIN, ":encoding(utf8)";
• Instead of -Ci, use: use open ":encoding(utf8)";
• Instead of -CA, use: utf8::decode($_) for @ARGV;
• Instead of -CS, use -COE and: binmode STDIN, ":encoding(utf8)";
• Instead of -CD, use -Co and: use open ":encoding(utf8)";

(Using the ":utf8" layer is safe for output streams.)