Sorry, I didn't explain myself correctly
"do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?"
- I meant if he was logged in as an Administrator as he is the only one allowed to put in content without the review.
"also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something"
This is allowed only for Admins and right now it's not possible to turn it off or on in the configuration.
"btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)"
Yes they are at the same level, with Admin exception I mentioned above