I am working on a replacement for BIP39 and noticed that the password section mandates a Unicode normalization pass but does not prohibit unassigned character points.

I believe that this is problematic as newer drafts of Unicode alter the output of normalization passes.  So if a user assigned a password using a wallet that linked to Unicode 9 but input a code point reserved in Unicode 10, updating the wallet to Unicode 10 could incorrectly remap that code point [0].