I agree with what you are saying. As one thing that people sometimes do is give all permission to one rank under Owner and put no owner or a bot owner so that they can still manage the funds and do all that but no other harm can come from it.
Regarding’s to this thing what you should do is get an Anti-Virus plugin that will track and alert of all possible threats as it will help you track down what is where it is since one of our devs had a plugin that was compromised and kept putting these scripts in as many hidden places as possible. But I believe that it is an Asset that has been compromised and the require(1234) Has been changed to their new Malicious one. So it will be a little harder to find. (This is just a theory)