We often get security reports (e.g. SEC-22, SEC-24) that are only vulnerabilities in Camunda if an attacker can control the BPMN deployments. Since Camunda does not provide a proper sandbox for BPMN execution (scripts, expressions, BPMN control flow allow various attacks such as DoS or remote code execution if under the control of an attacker), it is a key aspect that only trusted users/systems get access to deployment APIs.
The security instructions do not state that clearly enough, e.g.:
Task
L3 - Default