Yes, but also no. For example in GitLab a user who’s infected could push code to a branch. Then it could even make a merge request to pull that branch into main (if main is protected).

But then someone else on the team should have to manually approve that MR to allow it to be merged to main.

This kind of defeats the ability of malware to push stuff out automatically.