I’m thinking security in general. When you enable HTML, you also enable a buttload of scripting extensions and backend possibilities, and that becomes another set (subset) of problems. Every time you discover a new leak and patch it, there’s another six that surface. I know of many web-based form entry systems that will not allow you to type in scripting or file-control characters precisely because of that. It’s brute-force security to keep crackers from entering scripts right in the comment section, which presumably could then be parsed and executed inadvertently.
Bandwidth might also be a concern. If users are using their DB accounts as “free” webservers, you know there’ll be some high-volume things happening there, including photo and video access.
The “hack” really wasn’t, per se; as I understand it, it’s actually fallout from the LinkedIn password crack of 2012. It was LI that compromised some 60-odd million passwords, and Dropbox users were a subset of that, if they’d connected DB to LI.
Now, connecting to Google might be a viable alternative, ayup.