> The point is they added another attack surface, however small, and another code path that should be tested.

I dunno, "attack surface" to me means "facilitate opening/vulnerability somehow" and none of the easter egg code I've seen has done that. You have any concrete examples where a easter egg made possible a security vulnerability that wouldn't be possible otherwise?

But yes, another code path created by easter eggs that wasn't tested I've seen countless of times, but never been an issue, but maybe our easter eggs always been too small in scope for that.