Unsecured initializer (UUPS)

After upgrading a UUPS proxy to a new implementation. Is there any security risk in not calling the unsecured initializer of the new implementation directly? Could an attacker who initializes the new implementation directly (without going through the proxy) cause any harm?

In general: Should I call the initialize() function on the implementation contracts also directly or is it enough to call it once through the proxy when deploying the first version of implementation.

Based on different storage of the contracts I think the implementation contracts can be left uninitialized. Just want to make sure, since the implementation contract should hold some assets in future.

My initializer (and constructor) of the new (and old implementation) are looking like this:

Implementation V2

constructor() {
    _disableInitializers();
}
 function initialize() public initializer {
      __Ownable_init();
    }

You should initialize the implementation contract so that it cannot be initialized by an attacker (see Caution note for Initializable). When you say "the implementation contract should hold some assets in future", that sounds like a strange approach because the implementation contract itself would not be upgradeable.

But by having this in your implementation:

/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
    _disableInitializers();
}

, that by definition already initializes the implementation contract because it sets the initialized version to the maximum value, which prevents someone from calling the initializer or reinitializer on the implementation afterwards. So if that is defined, there is no need to initialize the implementation contract manually.