Many preach that deployment of assembly to GAC is a potential security breach, as codes are run with full trust. So many advocate deploying your assemblies to the Bin directory and use CAS to give them the necessary rights to run.
I've been working on a customisation to improve wiki and forum functionality in SharePoint to better support a technical community. I decided to give CAS a try, and deploy to Bin (my work are mostly POCs, hence I just deploy to GAC). It was difficult at the beginning, as it is so difficult to understand and determine the necessary permissions. Fellow MVPs Reza Alirezaei, Paul Schaeflein, Todd Bleeker helped me pick it up, and managed to grant all the necessary rights for my webparts. I gave up on application pages, but later know that inheriting from layoutsPageBase requires full trust.
When trying to figure out the how to give the assemblies the necessary rights, I found myself just adding permission requests in the assemblyinfo.cs. Then I realise, the target environment doesn't have any code review process in place. Many clients that engage my consulting time also doesn't want to hear about code review, testing. They still insist of using app pool to prevent code from one vendor to bring down production server, etc etc. Hence there is nothing to stop a dev from just basically requesting every permission available!
I also find the permission request quite general. Some of the request are just granting the code to access the object model. Tell me, which SharePoint customisation doesn't use OM? Why isn't it broken down to smaller pieces, like code to request administrative objects like central admin, or shared services. So I don't believe CAS will help deliver more secure code. But if IT has code review process in place, then CAS will help to a certain extend (though I think it would even be better if permissions can be made more granular)
For now, I rather GAC all my assemblies...
http://blogs.zdnet.com/Google/?p=1308&tag=nl.e539
This is already the second time information is leaked from Google. So if you have NDA information, or company secrets inside Google, be warned!