ioquake3 has an option (cl_allowDownload) to auto-download game data (PK3 files) from multiplayer servers. It is not enabled by default. Because PK3 files can contain executable code, auto-downloading is a security risk. Enable it at your own risk, and only if you trust the administrator of every multiplayer server you use.
The executable code in PK3 files consists of "QVM" bytecode, which is run in a "sandbox" by the ioquake3 engine. The sandbox code has not been audited thoroughly, so it is likely that a malicious server administrator could provide QVM bytecode that does dangerous things.
Past security vulnerabilities that would have been mitigated by not auto-downloading include CVE-2007-2785, CVE-2006-3324, CVE-2006-3325, CVE-2006-3401 and CVE-2011-2764.