Node-RED is built on Node.js which has a number of potential security weaknesses if they are not mitigated properly. This article from the well-respected Auth0 team (now part of the Okta Identity and access management group) covers the common issues and offers thoughts on how to mitigate them.
Is there much in there that affects us lesser mortals? Apart from the obvious ones to not run node-red as root, and to have a specific user for node-red with only the permissions that are needed.
Much of it is for developers. For example, I'd already taken to using some of the supply-chain protection features available as GitHub actions for UIBUILDER. They protect from misbehaving or hijacked dependencies or vulnerabilities.