I've seen zap requests with maaaany relays (which could be considered an attack vector) 
and I think some private zaps are also rather big - but I honestly don't know the spec there. 
we currently have a size limit on metadata and saw some zaps failing because of that.