1. I'm a bad guy who wants to make is look like a registered user is posting junk. So I make an unregistered user with the same name (and I guess the email address the other user used) and start posting junk. Then a moderator comes along and merges my junk user into somebody's registered user. Now it really looks like they were posting garbage. It's hard to imagine the motivation for this. People flagging posts as spam/offensive would reduce the damage. Not only that, if the account does get merged into the "target user", that user will own all the posts, so she can simply delete them.
2. I'm a bad guy who wants to steal the account of a non-registered user. So I register a user with the same name (and guess the email address the other user used). Then a moderator comes along and merges their unregistered account into my registered account. Now I change the name and email to my own and I get all the credit for their posts. It's easier to imagine the motivation here, but again the damage can be easily handled. As soon as a moderator becomes aware of what happened (I imagine the "target user" or somebody would send an email), he can simply give control of the account to the rightful party by editing the OpenID in the user's profile.

Basically, my poll question is whether the (I think remote) possibility of one of these attacks and the hassle of dealing with them outweighs the annoyance of people accidentally creating multiple accounts.

Disclaimer: If I have stronger evidence that two users ought to be merged (e.g. a registered and unregistered account have the same name, email, and IP), then I have no reservations about merging them. If you object to that, please say so and I'll stop doing it.

Poll Question: if somebody has an orphaned cookie-based account and a registered account under the same name and email address, is it safe to merge the accounts without confirming via email?

It's quite easy for me to produce a list of all users in this situation, and I'm occasionally in the mood for tidying up, so I could just merge a few now and then. Any time I've emailed people about it (usually because it came up on meta that they have a duplicate account), they've always responded positively. Emailing people is boring and tedious; I'd rather have duplicate accounts floating around than do it. But merging users is an irreversible procedure, so I'd like to be really sure that nobody is going to feel violated if I merge their accounts without asking them. Can you imagine a situation where somebody could reasonably want to keep their cookie-based account separate from their registered account? (Remember I'm assuming they're using the same name and email, ruling out the possibility that they are using the cookie-based account to post anonymously sometimes.)