The Multicall contract from Uniswap's v3-periphery relies on bad revert handling. It incorrectly shifts the pointer of returned data array by 4, which causes the length to be the concatenation of the actual length and the first 4 bytes of the revert data, which is usually the 4 byte Error signature.
Although the current solidity implementation of abi.decode is able to ignore the length given and parse the string correctly, the reliance of abi.decode should not be the determining factor of whether the code is secure or not.
Furthermore, OpenZeppelin's library is able to bubble up custom errors correctly thus should be preferred over the Uniswap's implementation.
https://medium.com/@0xdeadbeef0x/the-double-edged-sword-of-abi-decode-f81529e62bcc