Function json_encode is a string displayed as json, i.e. in our case the function uses inverted commas for strings which are displayed by means of echo.
Frankly speaking, we don't quite see the difference as these strings are used with inverted commas anyway.
We did follow your advise, however, and implemented necessary changes. Please note the issue does not have to do with security leak.