Good question! I wasn't too concerned about this, because the only way you could even interact with the OS where the server was running was via HTTP requests, which are fairly limited in nature. The OS or kernel itself wasn't directly exposed per se.

ISTR Linux has had RCEs in IPv6 related stuff in recent years.

https://security-tracker.debian.org/tracker/CVE-2023-6200