Note: This does not apply if you untick Allow requests to the same domain in Preferences > Manage policies > Default Policy
images.example.com is assumed to belong to the same organization as www.example.com). The general risk is that it is possible for a site to direct traffic for a subdomain of theirs to a different company's IP address. This situation appears to be fairly uncommon at the current time, but is a real threat to privacy and is currently in use on various popular sites. The owner of example.com could point cdn.example.com to a content distribution network used on example.com, but that is actually owned by an other company (content delivery netowrks, analytics and tracking services...), or to direct traffic for ads.example.com to an other company that serves ads.personal.example.com on your local network, an attacker who controls another.example.com will be able to bypass RequestPolicy's default deny policy for personal.example.com, as it does not apply to requests to the same domain.www.evilsite.com could point his subdomain attack.evilsite.com to the IP address of your-bank.com, thus the requests to the bank site will be allowed. However, your browser will not send cookies saved for your-bank.com to the attacker, as they do not have the same domain name. This makes the attack less useful in most situations.