In, we revamped the file handling so that the file component used the new "managed_file" upload element, allowing for AJAX-uploading. While we properly add file_usage entries to keep track of which files are associated with submissions, we *never mark the file permanent* in the file_managed table. Surprisingly this doesn't cause any terrible harm, but it's not correct. I would have assumed that a file marked temporary would be deleted by system_cron() on cron jobs, but much to my surprise, it doesn't delete files if there are any usages reported. Since a usage exists but the file is temporary, the only bad thing that happens is an entry gets logged in watchdog:
watchdog('file system', 'Did not delete temporary file "%path" during garbage collection, because it is in use by the following modules: %modules.', array('%path' => $file->uri, '%modules' => implode(', ', array_keys($references))), WATCHDOG_INFO);
So that's a good thing, we can easily fix this through an update hook and no ones files were lost. We don't even allow access to files any more if they're temporary unless users have a matching cookie, so we're safe on all counts here. I'm still marking this major because it's a data-corruption issue. Even though core doesn't do anything dangerous, the expectation is that a temporary file can be deleted, so we need to fix this as soon as possible.