You are letting the headless browser process run with the same permissions as the user that started it. If an attacker compromises the browser, they are no longer in a jail cell; they are loose inside your process. So, yes, there is a definite security problem.