Sorry, I didn't explain myself correctly

"do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?"
- I meant if he was logged in as an Administrator as he is the only one allowed to put in content without the review.

"also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something"
This is allowed only for Admins and right now it's not possible to turn it off or on in the configuration.

"how can one check (some SQL query maybe?) for already injected javascript?"
- you should just search for javascript tag in MonoX tables via pure select query. But as I mentioned you shouldn't be able to inject the scripts as registered user or anonymous.

"btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)"
Yes they are at the same level, with Admin exception I mentioned above

Regards