I had a thought about this potential vulnerability this morning for gifted/donated names. It’s a sophisticated attack, but I do think it may be possible:
In the same way that it’s possible to visually spoof ENS names with similar looking characters, a custom resolver may be able to spoof a text record that says “address” in the app when the real eth address record is hidden, or there’s something in the resolver that redirects funds to a different wallet instead. Even more malicious if it waits to trigger until a large enough amount is sent to or from.
If spoofing the visual appearance of a text record, making a text record field invisible or otherwise tampering with where an address points is possible using a custom resolver, I feel like there should be some pretty big alerts in the app that the address has a custom resolver set, possibly even an alert on Etherscan for the address, since it’s a detail of an address that even advanced users may not pay attention to.