Yes, you are right. Sometimes, reactions cause chain overreactions. We have different intensities of the situation. I checked the iTerm2 author's notes and compared them with my setup and I thought ok. It looks like I'm safe. And I moved on. But when I read your previous comment. I am now unsure because I need to know when and what changes led to this issue in the first place.
The iTerm team is just an army of one. There may be a formal analysis of the security soon.
The root cause as I understand from other comments in this thread is a double whammy of the feature existing itself and that they managed to create a release with a WIP commit that enabled the feature. The resolved the issue by ripping out the feature. However, the latter issue remains unaddressed and to me is equally if not more concerning - there should be good practices in place to ensure that feature flags aren't even being controlled via code edits and instead there's .gitignor'ed config files that are read in a developer build for turning those features on. Additionally, git commit hooks that scan for WIP comments & prevent pushing them and sprinkling WIP comments around temporary changes might also be good defense in depth measures.
The iTerm team is just an army of one. There may be a formal analysis of the security soon.