Not running pasted commands automatically isn’t a security feature on its own, because the paste “brackets” of bracketed paste can be inside the clipboard. It’s kind of ridiculous that most terminal emulators don’t defend against that by default.