Helge "UserProfie" Klein discloses why mandatory profiles are not secure. So NOW he tells us :-)

 Mandatory profiles are generally considered fast and secure because they usually are small in size and cannot be modified by the user. While that is true – mandatory profiles stay pristine indefinitely – there is more to security than read-only access.

Mandatory profiles (MP) are a variant of roaming profiles: a master copy on a file server is copied to the RDS session host during logon. The resulting local copy is secured with file system ACLs that grant full access to the user, but no one else (plus administrators and SYSTEM). All is safe and secure – except in the case of mandatory profiles.
A user profile consists not only of file system data, but also of a registry hive (stored in the file NTUSER.MAN) that is mounted to HKU\<SID> and accessible from within a session via the well-known name HKCU. In contrast to the file system, registry permissions are not changed during logon because that is not necessary – at least with roaming profiles where the master copy of each hive already has the correct permissions.
Not so with mandatory profiles. As per the KB article How to customize default user profiles in Windows 7 (and older similar articles) the creation of a mandatory profile involves changing registry permissions on the master copy to full access for “Everyone”. Since many users are logged on simultaneously to an RDS session host, each server’s registry is comprised of many users’ hives that are read- and writeable by anyone, not just the owner of the individual user profile as it should be.
So on a RDS session host where mandatory profiles are used, a user can simply open Regedit, navigate to HKU\<Some other user’s SID> and read/write at will.

Source:  http://www.sepago.de/d/helge/2010/12/13/mandatory-profiles-ae-insecure-by-default