Not just that, it has the same issues that Secret had, at least for smaller companies - you can just create a bunch of fake accounts and invite a single person you know, then have the fake accounts post some stuff to make it look like there are a lot of users, then hear what the individual says.
In addition there are two other pretty big holes. The first is the LinkedIn versification (where anyone can claim to be part of any org) and the second involves ways of receiving mail sent from the domain that is sent to non-employees (e.g. via a helpdesk ticket - a common attack against slack and other services that use domain name as a security identifier).
In addition there are two other pretty big holes. The first is the LinkedIn versification (where anyone can claim to be part of any org) and the second involves ways of receiving mail sent from the domain that is sent to non-employees (e.g. via a helpdesk ticket - a common attack against slack and other services that use domain name as a security identifier).