We’ve seen a number of clients hit by large spam attacks lately, and what they all had in common is that they opened up one or more categories to everyone - create, bypassing all trust level restrictions.
For seasoned Discourse admins it’s obvious that this is a bad idea, but for less experienced people it’s not. So it might be a good idea to state the (for us) obvious and add this to the start post of the topic.