Right now a widget's update callback gets fired (e.g. to ensure values are sanitized) when a widget form is updated and that update is previewed in the customizer. However, the updated widget instance is then not sent through the widget's update callback again when the customizer is saved. This means that there is currently a way for users to hack a widget's instance (bypass the update callback) by manipulating the widget's setting in JavaScript, since all the settings are stored in memory. This could be a security issue. I believe the widget update callback should be added to the customize_sanitize_* filter for each widget, if this is where the setting is filtered before saving to the DB. Each instance of the customizer control for widget forms can supply the update callback as the WP_Customize_Setting::$sanitize_callback parameter.