Playing around with things a bit, it seems like if the user's role has permission to edit others' profiles, they can steal others' identities (overwrite their file). They can't however change to a non-existing username; the page sticks at the call to the member__update_profile() hook.

If the user's role doesn't have permission to edit others' profiles, no matter what (whether or not the username is taken), they get the error message: You are not allowed to edit another member’s profile.