Security and Performance implications of "View Server State"

There are no significant performance issues that I can think of from granting this permission. From a security perspective, you run the risk of letting a user see what you most details about your weak spots, so for example, a malicious user could view your most common wait stats are, which could help them target a DoS attack against your server.

Is this possible? Definitely. Is this likely? I'm compelled to say No, but remember that it is estimated that 90 percent of attacks against companies are from internal attackers.

As an administrator you would view this information as being in your domain (performance / index usage / etc) but there are potentially compelling reasons that a development organization would want this information for a large legacy system they support- identifying zombie tables that are only touched by maintenance processes for example.

In the end it always ends up being an issue of "luck and generosity" since the call on whether any particular request is justified ends up being a soft choice and not a crisp formula. The use of best practice patterns without looking at context is itself a pretty nasty anti-pattern and reality is that many approach their positions with "talk to the hand" as a starting point.