1) A terrible, terrible User Interface. As a connoisseur & past perpetrator of bad UIs I know one when I see one & the XPrivacy UI is awful. The gui of the App itself is obtuse, consisting of an enormous laundry list of Android API function calls with no clear explanation of what impact they have on the user's data. Meanwhile, the prompts shown to the user when an App asks for access to a resource which is marked as requiring a prompt to the user are atrocious: Now you have to decide whether or not to allow some opaque Android function call but you'd better decide quickly because there's a timer running out on the screen in front of you: If you don't decide before the timer runs out then the App will get one-time access to that resource.

Did I mention that this is a terrible UI? It could be the poster child of UIs written by software engineers for people that are exactly like them.

2) It's not actually secure. Because it injects code into the address space of the target App, an App that is "XPrivacy aware" can overwrite that code with it's own code and eliminate the protections that XPrivacy claims to provide. (Technically the App has to load a binary library in order to do this, but many Apps need binary libraries so the user is likely to give permission to issue a loadLibrary() call & once that's happened all the XPrivacy guarantees are dead letters.)

XPrivacy also requires the entire XPosed framework to be installed & I'm not entirely sure I trust that either. I doubt it's ever been audited by a security professional of any stripe.

IMO, you get a much stronger privacy guarantee from either CyanogenMod or one of the other Android forks that build on the AppOp API that Google inadvertently shipped with previous Android versions.