I know on squarespace and Shopify and a few other website builders they allow arbitrary code in the section of a site. They also have a way to add custom arbitrary html and JS often.
That said everywhere else I’ve read that is a bad idea lol.
I’m curious if you know what makes it safe for them? Is it because they only either serve content on a subdomain like whatever.squarespace.com or yourcustomdomain.com?
Otherwise if the site was available at yourhompage.com/theirwebsite they could steal session info?
I guess it boils down to who is legally responsible for the code.
If you host your code yourself you can put whatever you want. If you host other people’s code on your domain but you made sure that they are responsible for it then you are fine I guess (I am not a lawyer though).
But safe, no, it is only as safe as the code is. If you will provide a CMS as a service you may quickly have to let people include js files script tags to provide whatever feature they want.