Can someone enumerate everything to which I am exposing myself (and my site) by running/deploying my Grails App with "grails run-app" rather than doing it "correctly" with a .war file?
Grails.org saysL
Grails should never be deployed using the grails run-app command as this sets Grails up in "development" mode which has additional overheads.
Is it only performance, or is there a security issue there too?
Performance is the big difference. If you must use run-app be sure to run 'grails prod run-app' so at least some of the optimizations are in place. run-app is designed to be devloper-friendly, with lots of reloading, and the corresponding file system scans that are necessary to support that.
When running in a war, GSPs are precompiled, which saves permgen significantly and results in much faster performance. There's nearly no caching in run-app since as a developer you don't want to have to restart, but in production you usually only need to make changes for a redeployment, so caching is much more aggressive.