>>> myfun("שָׁלוֹם" ,"السّلامعليكم");
>>
>> There is no danger in that example, and in particular nothing 
>> invisible.
>
> I'm pretty sure an attacker can use the above confusing arg order to 
> turn an apparently harmless program into a security hole.
>

That's possible indeed, but this is not what the "Trojan Source" paper is 
about.  The example you show is only one instance of the many possible 
reasons why a piece of code can be difficult to interpret, there are many 
others, e.g. misleading indentation in code.  The point made by the 
"Trojan Source" paper is only about invisible reordering control 
characters.