Poor supervision over something like Google Tag Manager resulting in someone on the PR team adding extra stuff without being fully aware of the repercussions
The way I could imagine it happens is that they use GTM to trigger Facebook tags, for example to remarket people who have donated to ECPAT, since people who donate are likely to do so again after say a month or during Christmas so that's a perfect audience to have available for an ad campaign. But they have GTM fire FB on every single page out of convenience, since setting up rules in GTM on where to trigger it is work. The tip-off page is hosted on the same environment, so FB triggers by default.
Not 100% on this but if they aren't granted sufficient GTM access and the site is an SPA devs may not even have access of where to trigger it beyond blocking instantiation on certain pages.
100% this, the marketing team wants to have Google Tag Manager to inject random marketing scripts all across the page and management backs them up and then the development team has no insight to or no say in what actual scripts are run on a specific page.
That said: This is a GDPR nightmare and so is Google Tag Manager
It really doesn’t fix it, since the whole point of GTM is to allow arbitrary code execution on any page by marketing teams. (Yes, this is as bad of an idea as it sounds)