I would never have thought of it myself, but some crawlers have been sending requests to our site in the form of:
After rewrite this becomes "mysite.com/index.php?q=some/path&q=something/else".
On the PHP level, the latter q overwrites the first and Drupal will try to deliver "something/else".
However, boost analyses the raw request_uri() and parses "path" to "some/path".
The problem is that boost_is_cacheable() will do it's path evaluation based on the parsed uri and not what Drupal is actually doing.
I'm not sure if this can lead to any security problems at all, but it's certainly a gotcha behavior and has potential for bugs in the future.