I presently run several Wordpress MU installations.
My customers are requesting a chance to publish video (not only Youtube, but from your own Expensive Media Server).
Automatically, Wordpress strips out
How harmful may be the embed tag and really should I be worried about providing them with the power?
In most cases, Expensive has advanced significantly when it comes to stopping exploits like key trapping, etc.
The most secure factor you could do this is always to obfuscate the embedding code and also have them only give you a SWF URL, this way they could not pull anything fancy within the embed object like permitting mix scripting, etc...
Particularly, you need to be careful for such things as potential cyber-terrorist attempting to call JS functions out of your blog JS files by utilizing AS3's
ExternalInterface.call() function... that will certainly be bad. However think you should use embed strategies to turn this off.
Make certain you place
allowScriptAccess="never" within the object/embed tag to deny scripting powers to 3rd party SWFs.
I recommend that Expensive is just as secure because the content it's showing which together with a Youtube video isn't any pretty much harmful than likely to go to the same video on Youtube's website.
My recommandation is by using it if you want it.