Thanks for your feedback.

The other risk is Virtual Machines, which is well known.

Except for the part that you don't need to have login permissions to the Azure VM to get an access token from the Managed Identity.

When having Virtual Machine Contributor permissions, you essentially only have the permissions to manage the VM resource.

Non the less, using the Script Command, you are still able to request the access token.