do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?
cause registering as a user is usually free and doesn't stop an attacker
also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something
how can one check (some SQL query maybe?) for already injected javascript?
btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)