The revised draft includes a reference to RFC 6366, as requested.
There is no mention of my concern that independent implementations of
a codec can have shared vulnerabilities due to the nature of the
encodings.  (I admit this probably belongs in a update to RFC 6366.)
Has the working group considered this concern, either during the
writing of RFC 6366, or as an update to RFC 6366 (which this document
might be an appropriate vehicle for)?

Editorial:

It's still not clear whether the intent of the document is to deal
only with audio codecs.  The body text implies that it does, but it
would be helpful to confirm that in the title and/or abstract.

Thanks for disambiguating "RF" (by removing the acronym).