We have integrated Analytics with our platform, based on the script compatibility with Matomo. Some clients are asking for TagManager integration, since that was recommended. We do see the benefit of the additional abilities to track more events the Tag Manager script will enable. Especially that it allows our clients to setup their trigger / tags themselves.
We do have some concerns regarding custom content / code and variables. Regarding safety for allowing tags to be injected in our platform web page source. Potentially breaking functionality by overriding javascript variables. Or breaking accessibility with markup. e.g. accidentally reusing an existing element id. Google TagManager seems to acknowledge this fact, by introducing https://developers.google.com/tag-platform/tag-manager/templates to sandbox javascript.
Besides CSP are there other options to prohibit these functions, other then asking clients not to use those custom tags? The injected tags for “custom code” will reuse the nonce that is present in the tag where we load the tagmanager script?