The same risk as installing any not-well-vetted server software. Except, from experience, I trust PHP code much less. Every PHP code base I have ever seen has been full of vulnerabilities. I don't like reading PHP code, so I don't feel like looking over it myself.
PHP had some poor defaults early on, but that was fixed long ago. Any decent PHP framework deals with SQL injection or XSS in the same way decent Ruby/Python/etc framework does. Judging from the fact they already released code and have experienced devs, I'd tend to trust Appleseed's PHP more than Diaspora Ruby. (Personally I prefer working in Ruby)
At the end of the day, the hip new app with the latest fashionable framework might still send your plaintext password over HTTP.
