Because pb-id is url-decoded and directly used to construct file path,
it is possible to read some stuff outside data directory, for example:

http://localhost:8080/raw/..%2FREADME.md

This example assumes that data directory is in the root of repository.