Website security considerations when using a tag manager
When you install Matomo Tag Manager, users with admin access will be able to create custom HTML tags, triggers, and variables that may execute JavaScript on your website. These custom templates could be misused, for example, to steal sensitive information from users (known as XSS). You can optionally disable these custom templates under “Administration => General Settings” or restrict the usage to only super users.
Users with “write” access will be able to edit any Tag Manager container (tags, triggers, variables) but not any of the custom templates.