Very few people know about this feature or --force-local and therefore there is a _lot_ of software that passes filenames to tar where a colon could be injected by an untrusted source.
This will eventually get exploited in a big way, being used to either exfiltrate data (because tar -cf is also affected) or used to untar the wrong data (e.g. after verifying the local file is good, a filename with a : is passed to tar -xf).
