That is a feature for admins only (people that already have full permissions via tiki_p_admin). It is designed for admins to do things. It can't do its job and prevent XSS.
But then, this could be exploited via privilege escalation. Thus, for this and other similarly powerful features, we did this in Tiki22: Risky Preferences.
We didn't backport for Tiki 21.x because it would risk breaking for some users that are depending on this feature.