I think it would be important to add since it’s a theme component, a user can circumvent these limitations by injecting javascript (I think) or enabling the safe mode if it’s available for them (see enable safe mode setting).
You need a plugin if you want a more secure way to do it.