I'm shocked that big open-source projects are even using it. I was reading through the Actions documentation recently and it did make it pretty clear that you should not be using it for untrusted code.
>Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.
https://docs.github.com/en/actions/reference/workflows-and-a...
I feel like GitHub should deprecate it and replace it with pull_request_untrusted or something and have every shareable aspect (like cache or secrets) an explicit boolean opt-in