First I must say that Scheme is my favorite language in two senses: Some of the faults I describe below seem like oversights that could be easily fixed but for others have have no solutions that even I like. In general, in keeping with much of the content of this site, expressivity is not always good. Many languages provide expressivity in ways that enable malicious code without making legitimate code much easier. The sort of security I want here is the ability to argue about properties of part of a program by examining only that part of the program.

I have studied R6RS only a little. My impression is that perhaps out of success the language is growing so as to be no longer simple. See dynamic-wind below.

This is a security worry. I fear enhancements such as dynamic-wind because I don’t know just what a ‘dynamic extent’ is. I fear that dynamic-wind is trying to regain patterns of global variables. There is an interaction with call/cc which is not elucidated I think. That might be OK (secure) for some concepts of dynamic extent.
The following definitions seem to me to give the same function
(define Values list)
(define (Call-with-values p q) (apply q (p)))
It has been a long time since I have been inside a compiler but I don't understand the optimizations this would preclude. The Rationale notes that multiple values are a different concept than a list. I grant this but also note that cardinal numbers are a different concept than ordinal numbers, and that it is still better to reify them in the same computer construct. This is a minor security problem for it expands the security model slightly.
See this. I think a correctly compiled program must spend much of its time verifying that the value of the cell under ‘car’ has not changed.
It would be nice to have a primitive version of continuation that could be invoked only once. This would simplify security arguments.
To understand call/cc it seems clear how to transform the provided Scheme semantics from big-step to small-step style, and thus to the actor’s vantage point. From that vantage point call/cc is clear. If dynamic-wind were described from that vantage point it might also be clear. I should study the new formal semantics for Scheme.