This MOD isn't any greater security risk than phpBB itself (except for, perhaps, that it's less well tested). Other than that, it uses essentially the same process on inputting, storing, and displaying information (in this case CSS) that's done when a user makes a forum post.
This is untrue. It is not the same as phpBB, as it allows the uer to create his own
There are bugs in browsers, particularly IE, that allows for exploitation, even with CSS. The risks aren't vast, and it isn't as open as allowing people to insert their own HTML, of course, but there are some very interesting exploits which can be utilized through this means.
This is well documented throughout the developer sites on the 'net, particularly those discussing community-building and user customization.