If you look at the Unicode identifiers RFC's discussion[2] you'll see the steps we're taking to address and mitigate that and other problems. That being said if you look at the tracking issue[3] you would also see that we haven't had the man power to fully implement this feature, which is why it will remain opt-in, nightly only for the medium term.
Hmm. What would you attack? That is, if you were writing a crate that I was thinking of using in my program, how would homographs allow you to compromise my code?
How would people end up using your evil crate though? I guess you could rely on having people copy and paste code from your documentation or tutorials, but if they just type the name then they get the original.
Here’s a somewhat contrived “attack”: I write a crate with two functions that are named similarly, wait for you to integrate it, then file a pull request using the Unicode function name (and hence calling the malicious function) and be relatively assured that if you looked up the function you’d stop reading code at the ASCII one.
The code published on crates.io does not need to match the code in your github repository, so... you don't need unicode homographs to do this kind of attack.
