I've kept "display-amount" to avoid clients having to be able to
parse payment URIs, but it's non-authoritative.

I can see why you want this. But I'm also a bit concerned abmut the security implications of having a possible "$2" label on a $2000 payment. 

Yes, that's the risk, which is why I mention it in the security considerations.

Perhaps we should just remove it, but then clients which don't know the URI scheme won't be able to show the amount to the user, which sucks.