https://github.com/openshift/must-gather-operator/ has mixed deployment implications in terms of privilege escalations, while recently MG-38 improved the securityContextConstraints of the pod(s) managed by the operator,

there are still significant gaps which could lead to privilege escalation (and possible escalation attacks by bad actors on the cluster):

1. The recommended service account to run the MustGather's Job requires equivalent of "cluster-admin" level RBAC for the gather script to successfully collect all relevant kube objects (including SCC objects) it leads to the operator's namespace getting flipped into a default "privileged" scc mode (pod-security.kubernetes.io/enforce: privileged)
2. A custom must-gather script (backed by a custom image, highly desired by customers and a valid use case for must-gather itself) could be able to collect more information than appropriate with powerful cluster-scoped RBAC, this is restricted currently because the DEFAULT_MUST_GATHER_IMAGE is hard-coded in the bundle and injected to the operator as an env var

but not limited to 1 and 2 at this time, remaining gaps and possible attack surfaces which need analysis and remediation.