Discussed on IRC/Matrix https://matrix.to/#/!sHzxAiaYPGfEPSGCzf:libera.chat/$TNunZ_vCWYxNGw-XDyCgKyKobccakb2A9noppM8kkTo?via=libera.chat&via=matrix.org&via=tchncs.de concluded to not be a security issue.

My concern was malicious user caching a malicious derivation trying to force root user to invoke it to unleash the payload, but that is not possible due to the use of GPG with the guix repo to prevent injection of malicious DNS server through DHCP.