On the first point, it's just the optional allowable-tags argument, which as you point out appeared in 3.0.13.
On the second, no ... I suspect it is a potential problem, but haven't dug into the PHP source code to see. If I were doing annotation on a high-volume system it's something I would definitely worry about.
I wrote something similar years ago in shell scripts for a high-volume site and avoided the entire problem by creating a separate file for every message (actually it was a photo caption contest). The filename was constructed by concatenating the process ID and the Unix timestamp, which was pretty much guaranteed to be a unique string. "Playback" was something like "cat ls -t" .... it's amazing what you can do with primitive technology! That quick&dirty 20-minute code was in production for more than five years.
