Important: The data that is retrieved and viewed may or may not be the same as the data that is being sent to the requesting site. A managed card is encrypted so that it can only be opened only by the requesting site. When you retrieve a version of the requested data, it is the responsibility of the managed card provider to send an accurate copy of what the card provider will send to the site. If you do not want to send the retrieved data, you can choose another card or you can exit Windows CardSpace.
There's no guarantee that what you think you are transmitting is really what you are transmitting.
After you send data on a card, you cannot control what the site does with your data. Use caution when deciding what data you will send and to whom you will send it.
These aren't my words - they are Microsoft's (at least in the version of Vista I have). See for yourself! Open up your Windows control panel, then look for "Windows Cardspace". Open this, and set up a new card; create a personal card, and enter in some data. In the upper right of the window (under the Tasks heading) select the "What data should I include on my card". You'll find the text there.
I guess user-centricity will actually happen in a future release. Some new identity policy standards might have something to do with that.