There is a security issue imo, because a) the server's node could work with a fork and b) it could be targeting someone to make him think he received funds that he did not.
It is not trivial for an electrum server to falsely tell a client that it has received a transaction. Electrum clients will connect to 10 servers by default, and will receive block headers from each. This means that an electrum server would need to use enough PoW to make the client believe they are being provided information about the longest blockchain (the chain with the most total work).
As a result of the above, I would put the risk of being provided false information from electrum servers in line with the risk of accepting transactions with x number of transactions with a full node.
If the elctrum server provides a valid transaction to the client, the client could trivially broadcast the transaction to the rest of the network.