There are issues with trolls loading into a world with an avatar that VRChat's logs report like this:

Error - [AssetBundleDownloadManager] Avatar 'avtr_becb0302-64b5-47b3-ab0d-2a0dcbdef294' did not pass initial checks and won't be downloaded: AssetBundleBadPerformance

The users are in the world able to listen in on conversations and manipulate objects like the image loader, but have no physical presence in the userlist for any active moderation. VRChat should not permit any user in a world with an invalid avatar like this. At the moment since their names and avatars are getting logged, I'm seeing if there are anti-troll measures that can be taken against such users and logging/reporting more verbose information. But to prevent them from actually causing harm in the world, I'd need to work with world creators to develop our own anti-troll systems to ensure such malicious hackers do not interrupt events. In this case, they disrespected people sharing stories about their loved ones who passed away during Dia de Muertos. That was disrespectful to the highest degree and they have been banned from the group. I've already reported the user and sent all my info to VRChat's ToS team for investigation so they do not cause harm to anyone else.

This isn't just a bug, this is a signficant security risk.