Dont use Reddit username or Facebook username or anything like that even if it could be cool. That way you dont have to worry even if some log file or error stack trace recorded your username.
Not really - a SQL Injektion would be naming my user user"; DROP TABLE USERS;-- or something like that.
My string is harmless but might scare web devs: How often do you see pseudocode like this?
log(INFO, "User "+user.userID+" logged on")
Usually this should print User @someone@example.com logged on as the variable content gets converted to a string. But if the variable is not a simple datatype like string, but a complex one, there might be errors. If you do the concatenation above with an object instead of a string, this would only print User [object Object] logged on. Now when the web dev sees this line he's going to try to find the Bug, where this variable gets set to the wrong value/type, when in reality it's just your carefully crafted user name.
If you open your Browser and hit F12, go to the console and type
console.log(""+{}) you get an Object {} converted to a string by joining it with another empty string.