This has always been the case. And suddenly, we are putting up padlocks and fences on every door because apparently, we starting having fantasies about a potential that we hired zombies in our org and they are now inside the house.
I find myself in high agreement with Marc here. For every 1 “potential” phish attack this blocks, we blocked 1000 script editor blocks that could have produced 10x that productivity for every team.
Why don’t we use Machine Learn to recognize phishing attacks and treat that as a separate problem: warn the admins; instead of blocking useful scripts from pro-user wanting to go dev?
We don’t stop people sending emails with attachments — we just check for virus in the attachment.
SPFx not safely running in a sandbox is a problem for ISVs and that’s not currently addressed. It is not a problem for employed citizen developers who are trying to improve productivity. By making it a problem — we stopped having progress.