Reviewing Piwik deployment guidelines here.
Whilst Piwik is fairly robust security-wise (for a big PHP application), one is still increasing the attack surface but instrumenting an application with Piwik.
Aside from “image only” tracking, is there any scope for changing this within Piwik? e.g. One could embed the tracking code in an iframe, or otherwise sandbox it, so that if the Piwik server were compromised the compromise doesn’t automatically spread to the instrumented web application?
Obviously such an approach reduced the scope of what can be recorded by Piwik, although we can assume many items of interest - screen resolution, browser capabilities, client IP etc, remain the same whatever context they are measured in. One could also imagine serving the Piwik.js with a cache buster and infinite time to live, so that any such attack would only work against new users of you site.
I’m sure this must have been debated in depth before, but not found anything Piwik specific. Some interesting discussion in OWASP Belgium around JSand.