LLDP can be easily spoofed (as can CDP). Tools to do so, like VoipHopper (CDP) and LLDP Generator (LLDP) are publicly available.
Example with LLDP Generator:
./tool.py -p lldp -tlv sys-name "FakePhone" -tlv sys-desc "See, I can spoof LLDP" -tlv chid -ipv4 "123.45.67.89"
Will show on your switch like:
HPE-Aruba-Lab3810# show lldp info remote-device 4
LLDP Remote Device Information Detail
Local Port : 4
ChassisType : network-address
ChassisId : 123.45.67.89
PortType : mac-address PortId : 30 85 a9 aa aa aa SysName : FakePhone
System Descr : See, I can spoof LLDP PortDescr : Pvid :
System Capabilities Supported :
System Capabilities Enabled :
Remote Management Address
I did not take the time so spoof the system capabilities, but that should not be that hard to fake your Avaya Phone. So it is okay to use LLDP as a convenience feature, probably not to use it as a securlty feature as there is no protection whatsoever in the protocol.
The more secure solution would be to really authenticate the phone with 802.1X; the required securlty level depends on what is acceptable in your environment and was the outcome of the security assessment.