If QVariant was just a container (open sum type, like std::any), the story would end there, and it could be marked as security-significant, the default, like QList. Both are used all over the place in Qt, but, crucially, QList doesn't interpret its contents. QString does, so it's security-critical. Unfortunately, QVariant also interprets its contents (it performs conversion between content types), and there's also load(QDataStream&), so this can't be anything else but critical. Both headers are full of implementation most of which can't be called trivial, so the headers are critical, too. Task-number: QTBUG-135190 Pick-to: 6.10 6.8 Change-Id: I12688f502b6362f2f541a5aba012c80677dbfef9 Reviewed-by: Matthias Rauter <matthias.rauter@qt.io>