The general risk is based around the fact that it is possible for a site to direct traffic for a subdomain of theirs to a different company's IP address.
This could be used to send client request for cdn.example.com to a content
distribution network used by example.com, or to direct traffic for
ads.example.com to a company that serves ads for example.com.
This situation appears to be fairly uncommon at the current time.
This is a real threat to privacy and is
currently in use
on various popular sites.
Aside from possible privacy issues, attackers can also use this technique. For example, if you visit www.evilsite.com, there may be attacks launched from that site which target your private network (the network behind your router and likely within your firewall). It could do this by using a subdomain such as attack.evilsite.com whose IP address resolves as a private network address such as 192.168.1.1.
The same technique could be used to attack sites not on your local network by pointing a subdomain to the IP address of another server not affiliated with evilsite.com. In such a case, your browser will not send along cookies that belong to the other site because the name being used is attack.evilsite.com rather than the name of other other site. This makes the attack less useful in most situations.
RequestPolicy will likely implement protection against such attacks on a local network in a future release even without the need to use stricter domain classification than registered domain name.