That's basically what the recent log4j security vulnerability was all about. "Helpfully" interpolating logs by default.