Let's take the scenario of 3 equitable organizations, i.e., each organization runs peers and should be equally involved in the ordering process.
For me, it feels quite natural to configure those 3 organizations to have an orderer node and some peers, each. However, this setup is highly discouraged. Quote from the FAQ:
Question: Can I have an organization act both in an ordering and application role?
Answer: Although this is possible, it is a highly discouraged configuration. By default the /Channel/Orderer/BlockValidation policy allows any valid certificate of the ordering organizations to sign blocks. If an organization is acting both in an ordering and application role, then this policy should be updated to restrict block signers to the subset of certificates authorized for ordering.
In another SO question, one answer gave a little more detail on this topic:
First, it's very easy to misconfigure your policies and reduce the security of the system significantly. The ordering service and the application operate based on the principle of separation of powers. It is important that ordering nodes cannot fabricate authenticate transactions, and it is likewise important that application transactors cannot fabricate blocks.
And continues with:
Second, because the MSP definition must appear in both sections of the channel config, you end up with two identical copies of the MSP definition, which must be kept exactly in sync. Since both MSPs have the same ID, if the contents are not exactly the same, then it creates an ambiguity in evaluating identities.
I scratched my head for the whole night thinking about which attack vectors and actors could expose a potential security risk for my organization or the whole network, if this setup is not properly configured.
Unfortunately, I can only think of one scenario: If there would be a vulnerability in the orderer binary, another organization's orderer could exploit this to create transactions with my organization's identity.
Question: What attack vectors can be exposed, if you have peers and orderers in a single organization and it's not configured correctly? Who would be the actors? Clients, admins, other organizations of the network, complete outsiders?
Bonus question: What is the proposed alternative in the given scenario? Should each participating organization been split into a separate peer and orderer organization? Like Company1PeerOrg, Company1OrdererOrg, Company2PeerOrg,...?