Cross site scripting and click jacking are major concerns. Many issues can be resolved by setting some headers in the HTTP responses for the user interface and rest responses for both the master and slave processes.
X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
X-XSS-Protection: 1; mode=block
These would go a long way to making sites using marathon more secure. Note that the user exploiting attacks does not need to have access to the marathon hosts, they are attacked through a user's web browser. So if the user can connect to both marathon and the internet, it is an issue.