VSCode remotes can execute code on the connecting clients, so a pwned remote server can pwn your local machine.

I mean, yeah, technically true - although you would connect in untrusted mode if you didn't trust the machine where you were editing code. At that point it should only be slightly more dangerous than opening a web page from the remote server.

So yeah, if you don't trust the remote machine then I agree - you probably shouldn't use it. But I don't really think that's the use-case they had in mind.

In that it's like THAT machine is also logging into your machine, and running code there...