One of the concerns about Ethereum contract safety has always been the issue that even though it's theoretically possible to check a piece of code and make sure that it does exactly what you expect it to do, in practice, outside of highly standardized contexts (ie. widely used dapps) where many people can audit the code, it's hard for the average user to check and make sure that there is no secret bug in the program... I actually found a real live example of this on the ethereum mainnet today.
I hadn't much thought about this, although I imagine my colleagues who spend more time thinking about risk analysis had, and I once again reinforced to me the distinction between shared ledger applications (SLAPPs) and actual contracts! Would you want to use a system where,