What counts as "'serious usage' of apt-ftparchive"?

If you trust (or are responsible for) those custom builds, it doesn't really matter whether this is serious usage or not, because presumably you aren't expertly crafting them to exploit bugs in apt-ftparchive (if you did, you'd only be hurting yourself and your users, which you can do more easily by putting something malicious in the packages). The point at which you start using it to parse a .deb that might have been maliciously crafted by an attacker (like Launchpad PPAs) is the point at which bugs become security vulnerabilities.

(Probably Launchpad should be mitigating this by running apt-ftparchive in a sandbox that has no read access to anything non-public except for the target PPA's per-PPA signing key, and no write access to anything except the target PPA's metadata; and for all I know, maybe they already do.)