Let’s take the security aspect one step farther: could a bad actor introduce popular code into copilot, which is full of subtle back-doors? Asking for a befriended state actor.
Why would you need a bad actor introducing a bug when Copilot already generates code that is indistinguishable from buggy (and possible backdoored) stuff? It scraped random stuff on Github and was trained on it, nobody knows what the quality or content of that training set was.