This issue has the most recent discussion about this, as of last week, including Marten’s opinion (the author of our HTTP/3 lib):
If there is a vulnerability there, it is orthogonal to the web server and likely more of an application concern. (Replay attacks are not unique to 0-RTT.)