Don't use grains for matching in your pillar top file for any sensitive pillars.
But it doesn't elaborate any further, leaving a few open questions:
First: Why not? I assume this is because the grains are provided by the minion, so a compromised minion could lie about any of its grains to gain any pillar data that it shouldn't have, but I'm just asking to be explicit about it.
Most importantly: What should a pillar top file use for matching? And why don't other matchers suffer the same security problem as grains? For example, doesn't the minion also provide its own ID?
It is because grains can be set arbitrarily on minions in the minion's /etc/salt/grains file.
Amongst other things, pillars are where you store sensitive data that should be private to each minion.
Consider VPN keys: Random minions shouldn't ever be able to download the openvpn servers's CA and certificate, and each minion shouldn't have access to each other's certificate either.
When you target by minion you are targeting by the RSA key attached to that minion id. That can't be spoofed by renaming the minion id on a random minion.