MOQT is a protocol used hop-by-hop between original publishers to relay, (possibly) relay to relay, and relay to end subscribers. Thus, the security considerations need to consider first what happens between two Endpoints, but also consider the impacts end to end over several hops of MOQT.
MOQT uses a trust model where on each hop the Endpoints need to be securely identified, authorized to use resources of the peer, provide confidentiality and integrity to prevent third party attacks and limit monitoring and leakage of privacy sensitive information. The relays within the chain from original publisher to end subscribers will have access to Track names, Track Properties, Object Properties, as well as the object's content unless it is end-to-end encrypted Section 13.4.
Publishers, including Relays, require authorization to prevent unauthorized subscriptions to content. Subscription requests can carry authorization tokens (see Section 13.3) to prove the subscriber's right to access specific tracks or namespaces. Relays that aggregate subscriptions from multiple downstream subscribers MUST ensure each subscriber is independently authorized.