I just read this fabulous post from Mike Schierberl's blog on Variables Scope Leaking and I thought I would pass it on as a good read. To summarize, it is a common practice to create a component into the application scope and include an "init()" type function in it that returns an instance of itself. For example you might have an "employee" component who's "init()" function takes an employee id as an argument and returns an instance of "employee" populated with user data. That's pretty standard. If you return this new populated instance into the variables scope you would expect the variable to be discarded at the end of the request. Mike's post shows that this does not happen as expected. Because the variables returned are referenced (as apposed to "by value") they persist beyond the request termination.
As a fix you can add structClear(variables) to the end of your request - in the onRequestEnd() function for example. I can't explain it better than Mike. He includes a sample and a flash movie of how he came to his conclusions. It's very thorough.
Robi Sen ran his own tests against the SUN JVM. He contests the assertion that this is a Coldfusion issue and he's focused on the JVM. His results may be found