I haven't set the scope of a variable in JSP, but I have run across potential security issues in working with web apps. There is always the possibility that a web application could have some sort of vulnerability in it.
Using the wrong scope, can allow variables to be set in an unintended manner. It could give a user the capability to bypass conditions, such as form errors, that were intended to produce and error message. Using the wrong scope could give a user the capability to gain access to another user's private information. It could cause a user's private information to persist after a user has logged out of a web service. The next person using the same computer, might be able to log into the same web service using a different username/password, and be able to access the previous user's private information.
One way: putting information in application scope makes it available to all resources in the web app. So data intended to be used for a particular logged-in user, for example, should never be placed there.
This, of course, in no way means not to use application scope; just be sure to use it for information that needs to be shade arose the application.