That is a feature for admins only (people that already have full permissions via tiki_p_admin). It is designed for admins to do things. It can't do its job and prevent XSS.
But then, this could be exploited via privilege escalation. Thus, for this and other similarly powerful features, we did this in Tiki22: Risky Preferences.
We didn't backport for Tiki 21.x because it would risk breaking for some users that are depending on this feature.
How to do in Tiki 21.x and older?
Just use System Configuration to deactivate preferences identified as risky here: Risky Preferences