Spawn eggs do not make sure that the entity is valid for the egg, allowing for arbitrary command execution in certain cases

Spawn eggs can spawn entities other than their named one based on the id tag. This means that command blocks (in the form of a falling block) and command block minecarts can be summoned by them. While command blocks and falling blocks are filtered for non-ops, spawner minecarts are not; one can simply create a spawner minecart that spawns a command block minecart.

/give @p minecraft:phantom_spawn_egg{EntityTag:{id:"minecraft:spawner_minecart",SpawnData:{"id":"minecraft:command_block_minecart","Command":"say hi"}}}

(for reference, these commands do not work for non-ops, though I originally thought they did:

/give @p minecraft:cod_spawn_egg{EntityTag:{id:"minecraft:falling_block",BlockState:{Name:"minecraft:command_block"},Time:1b,TileEntityData:{"Command":"say hi"}}}
/give @p minecraft:evoker_spawn_egg{EntityTag:{id:"minecraft:command_block_minecart",Command:"say hi"}}

)

(the spawn egg type is chosen only to make it clear in the inventory; any type may be used)

Such spawn eggs can be obtained by non-op players in creative mode using saved toolbars, and can be placed either by the player or from a dispenser.

These eggs can also change spawners to arbitrary entities, although the NBT is not copied. (similar to MC-111317)

This was originally noted in MC-136512, although the reporter of that did not (does not) know of the security implications.