I think to have found two bugs in the backup tool included in iThemes Security.
The first is the directory exploration: some webservers have the directory exploration active as default (it means that if you visit a directory without an index page, it lists you the folders and files inside it).
So, if someone tries to explore your website till the
./wp-content/uploads/ithemes-security/backups directory, it could freely access the full blog database backup. Am I right?
The second bug comes with the WordPress network installation.
As you know, you should set a quota for every blog in the network: this particular case will count the backups size in the main blog media quota.
Let me know.