What's the risk of updating the token of a data field in the request type and request header type? I did a simple test: it seems that the data of requests created prior to the change are still fine. I don't have meta layer report to worry about.
All the out-of-the-box components and any custom objects refering only to the field (and not token) will automatically take the new token value. Mostly the following places would need to be checked, like, any custom database script that is existing in the system including custom portlet sql, custom report sql, request type rules. Also, it may affect the security in workflow or request where if specifically or directly the token values are used, any commands if you have used, notifications, etc. Though, all this considering the token value you are changing is of the custom field that you have created. If the token value is of any out-of-the-box field, then sure it may affect many out-of-the-box components, mostly, like any logic associated with that out-of-the-box token, any portlet, report, etc.