File this under possible, being patched, and not currently being exploited in the wild. Chromecast and Google Home can be exploited to give your physical location away and allow execution of commands from unauthenticated sources. This according to research posted on Tripwire today.
The details of the exploit appear to involve someone on your network visiting a a URL and staying there long enough for some code to run which appears to rebind DNS in some form or fashion effectively allowing an attacker to pretend to be in your network.
Commands in-network evidently are not authenticated, and it’s not Google exclusive, just this particular attack was written for Google Home/Chromecast.
This means someone could start playing anything on any of your Chromecasts, get your location within a few feet based on the Chrome/Home devices around you, and potentially anything bad that could be thought of could happen.
Patches are on the way, if you’re paranoid now put your IoT devices behind another router that isn’t on the same subnet as your browsers/phones.