Security researcher Jonathan Leitschuh reported that Netflix Priam (a Netflix OSS project available here: https://github.com/Netflix/Priam) writes to a local temporary file with world-readable permissions.
An attacker with read access to the local filesystem can read anything written there by the Priam process.
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--.
Further details are available from the original reporter.
Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.