For 'Does your app restrict the amount of data that is loaded and kept in the memory per request?'If your app performs CPU-intensive operations, is the amount of CPU bounded in some way?

Does the json validation mechanism load the full json text into memory? Or is it a streaming implementation?

The JSON validator currently loads the full json text which is stored in Macro body. This is necessary for validating the JSON tags before rendering the macro body. 

Is json validation a CPU intensive operation? Is there a timeout for the validation?

Will a very large or pathological json string cause the macro to fail to render, and thus cause the page to fail to render? A sample file I would consider large: (181mbs)

Since the data is stored as a macro body , the macro will will not load huge data files. This the same behaviour when you try to load the same data within a Confluence Page Section 

Is the validation performed on server-side, or client-side (browser)?

Will the front-end fail to render if the json being rendered is very large (or have many nodes)? Or is there a limit set to prevent issues with large DOM size from making the page unresponsive?

Again the amount of data which can be stored in the macro body is limited by Confluence Macro body storage. By default the node tress are rendered in collapsed mode to reduce the number of DOM elements.

Does the macro implement the StreamableMacro interface?

Does the macro render correctly in a PDF export? Will large json text cause PDF export to fail?

Yes macro supports PDF export. The macro body is placed within a <pre> tag for supporting PDF export and hence behaviour is similar to that of Confluence takes care of handling the export

Is the macro asynchronous, or synchronous? Will a large amount of json text block the page from loading other macros?

Macro is loaded asynchronoursly .

It does not block other macros from loading.

For 'Does your app ensure that attack strings are not reflected back to any user (XSS, and reflected XSS) or passed to other systems (the database - SQL injection, the search index)?'

Is it possible to check that the JSON parsing and rendering does not cause XSS issues?

Performance & Scale
Are you able to re-run a performance test with a load of 20 requests per second, and run the test for an hour? The length of time is recommended to prevent variations with cold caches and other uncontrollable matters (such as JIT).
In the performance test results, the size of the json being used in the macro is very small.
Are you able to increase the size to something larger (I think in the 1-2mbs size range should be sufficient to exercise the load required to simulate real usage)?