KRaft

PVCs are not yet encrypted at rest. This will be a feature on my final installation of KRaft but is not there on my homelab for the time being.
Services across different virtual clusters are not hidden, meaning a user on one cluster could find the names of the services running on the host cluster or other guest clusters. However, those services, while discoverable, are not reachable.
Also note that, as cluster admin, I can see all your running pods and PVCs. I imagine this is the same for other cloud providers, but I am just making sure you know.

While I backup Longhorn PVCs, there is no reliable backup method which retains the state of the K3k cluster. As such, consider your data to not be backed up for the time being and take appropriate measures to not lose all your data.

There is no GDPR compliance yet, probably just missing a working 'delete account' button. The only data stored is what you provide - user account details and cluster specs. Only cookies are for authentication.
There are default limitations and requests applied to all pods. These defaults are fairly low to prevent wasting cluster resources but will be overridden by user-set resource requests/limits. There is also a quota applied to the entire cluster to prevent resource abuse (particularly CPU reservation).
I accidentally deleted all clusters yesterday, so keep in mind that mistakes can happen ^^