Yeah the whole rush on "post-run hooks bad" isn't really adding all that much to security.

Like congratulations, your dev was compromised whole 10 minutes later after he ran code.