I was thinking similarly about the OLE Automation. That is also a configuration which is turned off by default just like CLR and once enabled allows you to do so many different things while CLR being enabled by itself doesn't do much. One still need to register assemblies and create objects to use them. Especially if the TRUSTWORTHY database configuration is avoided I'm having a hard time thinking of anything inherently insecure.

That said, I'm very interested to hear about security concerns related to this [clr_http_request] function, provided they're specific and not a blanket "CLR opens up security concerns"
Hopefully nobody uses this function to mount DDOS attacks :blink: (although, I imagine even that'd be rather ineffective)