But assumed worst case: there is some magic string that if they can get your web server to spit it out, in that encoding, can be used to dump anything php has access to… or run any arbitrary assembly… as your php user.
There are probably a dozen lesser degrees too.
Disclaimer: I’m not a security researcher either… it’s been 20+ years since I sat down and crawled through any code looking for malicious ways to abuse it.