Apparently strings, numbers,
null are considered valid JSON even though they consist of a single escaped value. (I recently discovered this while accepting API data from a third-party and they accidentally double-encoded the JSON body payload.
To prevent this issue from occurring again, I wrote a CFML User-Defined Function (UDF) to test whether a string can successfully parsed to an object and/or array (versus accepting an invalid simple value). Enjoy!