I wouldn't call it as breaking an API. It's rather not maintaining bug compatibility, something that we usually don't consider in general. (And besides, I'm quite certain much worse incompatibilities than this one slips by unnoticed.)
The reason I believe there's a real chance of security issues in this area is that a quite important property of UTF-8 doesn't hold. If something that is assumed to behave a certain way doesn't, there's a real chance of code that is written with that behavior in mind and therefore doesn't work right. And in this case the misbehavior obviously can have security effects.
I've also seen code that assumes this property of UTF-8 in the LDAP module. Afaics there's no exploitable vulnerability there, but there's no reason to believe that's the only instance.