I've discussed this further with Tomas and he told me he successfully tested that our impl does not exceed given (configured) memory limits.
You have to switch the queue settings to: address-full-policy=BLOCK (default is PAGE, which can cause exceeding the disk space and perhaps slow down the node if there are really lot of recipients. which is, well, not ideal) :-).
The best option would be to use address-full-policy=FAIL. I believe this will fail transaction and the queue will try to redeliver, but still have to get to confirming that. (This can be configured to exponential back-off and try to deliver so many times that it really does its job (such as try to redeliver after 5 seconds, but repeat that e.g. up to 2 hours, then fail the message finally as non-deliverable)).