CSS insertion is almost as good as a script injection. You have it expression()in IE6-7 (and later in the compatibility view), you have it behavior:(HTC) in IE, you have it -moz-binding:in Firefox, you have content:to enter text, and sometimes, mostly in older browsers that don't block it. you have one url(javascript:...). Even without this, you have sufficient risk only from visualizing UI spoofing.
As long as the user style sheet is limited to the user who created it, the user can only compromise himself. The problem occurs when users start sharing style sheets. Perhaps you may want to prevent users from choosing the same address of the external stylesheet as another user to prevent this.