While doing some testing, I found that the checkout.ClientCheckoutCosmeticsPacket isn't being sanitized on the server, as it accepts any ID as a valid cosmetic ID. After submitting a report on this, an essential developer responded with "We don't think there'd be any issues [without server side validation]." After just a little while of poking around, I was able to find that you could gift these junk IDs to another user, and there was no limit on how many you could gift. After just 1.5hrs of gifting random cosmetic IDs, the other user had to wait 45 seconds for their essential client to initialize, as it had to download 200MB of data. Leaving the script on for longer could quickly make essential client unusable, filling up the allocated RAM to JVM and also causing the client to be stuck downloading junk IDs.

This, of course, was seen as a more severe threat to essential's team, and the issue was resolved in a day. So, be sure to validate the data on the server before accepting it :D