When using sudo() without an argument, you set the user of the context to the Odoo superuser. This superuser bypasses all the security rules of Odoo, both the access control lists and the record rules. By default, this user also has a company_id field set to the main company of the instance (the one with ID 1). This can be problematic in a multi company instance:

If you are not careful, new records created in this environment will be linked to the company of the superuser
If you are not careful, records searched in this environment may be linked to any company present in the database, which means that you may be leaking information to the real user, or worse, you may be silently corrupting the database by linking together records belonging to different companies

When using sudo(), always double-check to ensure that your calls to search() don't rely on the standard record rules to filter the results, and ensure that your calls to create() do not rely on default values that are computed using some of the current user's field such as company_id.

Using sudo() also involves creating a new Environment instance. This environment will have an initially empty recordset cache, and that cache will evolve independently from the cache of self.env. This can cause spurious database queries. In any case, you should avoid creating new environment inside loops, and try to move these environment creations to the outmost possible scope.