[cassianoleal]

It may not be arbitrary code but it's still remote code execution.

The service provider has direct access to my infrastructure. It's one supply chain attack, one vulnerability, one missed code review away from data exfiltration or remote takeover.

[armagnac2]

what better alternative do you have? It's either you go full SaaS, which means you rely 100% on the vendor, or work like 20 years ago with fully on prem. BYOC is the fine balance imo, that requires proper infra and implementation.