Just something I noticed while poking around Email Templates.
The function ‘get_email_template’ is whitelisted, but there are no permission checks. That means any (logged-in) user can call the function, which allows you to pass the name of an Email Template and a context dictionary.
If your Email Template only contains simple substitutions like {{ customer }}, then there is no real issue as it is the calling user who supplies the context dictionary. But if it includes any more complex Jinja2 code, for example something that is looked up from the database, there is a danger of data leakage. So when writing an Email Template, assume any user can call that template with any data they provide (because they can).