Poorly configured public computers (in libraries, schools etc.) might retain form history for form fields that give away the name or email address of users who have previously used the computer. This affects the login page mainly (username, possibly email after T30085: RFC: Allow user login with email address in addition to username), but also signup, password reset, preferences in more fringe scenarios. As a result other users of the machine might learn the private email or approximate geographical location of the user. This is in theory the responsibility of the operator of the computer (as we can't tell whether it is a public one or not) but it's probably pretty common that they don't live up to the task.
Form history can be disabled with autocomplete=off but that is also likely to prevent browsers' built-in password managers from working properly. (Recently, Chrome and Firefox got new and fairly sophisticated password managers though so maybe not the case anymore?) We should consider which side of that trade-off we want.
(Also we should probably turn autocomplete off for all the fields not involved in login, like the email address on the password reset form. It has no use and has a tiny chance of doing harm.)