To the original poster, see also
One should never use "textbook RSA" for secure communications. It has problems with plaintext malleability (that is, there's a predictable way that an attacker can change the plaintext, possibly meaningfully, by changing the ciphertext), with some number-theoretic attacks, and more. Also, with textbook RSA, the message size is limited to the size of the modulus (e.g. with a 2048-bit modulus, you could never send more than 2048 bits of plaintext in a single message).
You can also become familiar with many of these problems by working through Thomas Ptaček's Cryptopals exercises.
In these exercises, you implement famous attacks against naive versions and inappropriate applications of ciphers, including RSA.
Most ciphers provide confidentiality properties under highly idealized conditions where an attacker is given the least prior knowledge and least ability to influence the communications process, and where mathematical quirks that could lead to a mathematical solution of the cipher are assumed not to occur. This means that other kinds of constructions need to be used in order to produce a system that's secure in practice. An analogy is that one might use a hash for message authentication, based on the claim that the hash is secure in certain settings -- but this may be vulnerable to length extension attacks. Or one might use a block cipher in ECB mode, based on the same sort of claim -- but this may be vulnerable to several mode-of-operation attacks such as recognizing repeated encryptions of the same plaintext.