I mentioned this a few months ago. The biggest risk at the moment is that they intend to scrape public profile information from the fedi. It's in their ToS.
So if this concerns you, please review your profile. These are traditionally public, but you can control access to them. To do this, you should probably turn on 'Forbid indexing of your public channel content by search engines' in your channel privacy settings. This is an advisory setting and I don't presume it will work for bad actors, but it will keep honest data scrapers honest. And remove anything from your public profile that you actually don't want to be public - because it is.
At either a channel level or a site level, you can block the threads domain, but we also don't know if they will identify themselves when scraping profiles. You should probably also turn on 'require authenticated fetch' on your admin/security page. I have seen reports that this will break federation with some ActivityPub projects. I don't remember which ones. But you've got every right to turn it on and insist that anybody accessing your actor record identify themselves. Streams sites do.
You might also want to block public access to your site directory.
At a project level, we're not taking a stand on meta. Our job is to make sure that you have the ability to create a relatively safe space on the internet for you and your family.
Choosing your friends isn't part of our job description.