I think people might be shocked that access to this RCE backdoor is often given to non-technical roles and even outsourced marketing resources..With no controls in place at all.
That's why at Sentry non-technical people don't have the ability to publish new GTM versions. It's tightly controlled because we don't want marketing to shove things in there without engineering and security reviewing.
The joys of reviewing a GTM change submitted by some Chad at "Marketers R Us" where they copied a minimized, practically obfuscated, JavaScript blob of unknown origin into the browser.