This was reported by becw to the security team, but was cleared as there is no security concerns. It can be fixed publicly.
When the RDF module is enabled, it renders the $account->name property directly in an HTML meta tag on user profile pages without running it through format_username(). This is only visible to users who have permission to view user profiles.
Exposing usernames probably isn't a security hole, but if a site is doing something terrible like setting the account name = email... well, that's probably the site's own fault.
There is no risk of XSS here because the value is sanitized with drupal_attributes(). see also http://drupal.org/node/1004778
