Im not a security engineer at all and I have an instant gut reaction to floats in regular code. ”How big can this get? Is it deserialized? What arithmetic ops are happening? Any risk of rounding error propagation?” etc.
Now, I wouldn’t necessarily mean I deem it bad practice in security contexts since again, I don’t know. But if an expert doesn’t consider those things, I would be surprised (and a little scared).