Yes, that’s a legitimate concern of course. The publish portal (and our oembed API) simply provides injectable / pastable code that refers to Twitter’s widgets.js Javascript.
From my point of view, enforcement of valid domains with CORS configuration is one way to control this (we use it to enforce what scripts can run inside our dev.twitter.com portal, for example). In the case of Twitter’s web embeds, you would want to whitelist platform.twitter.com which is where our CDN-served widgets.js is located.
If a user/administrator on your portal intermingles malicious code in the pasted tags generated from the publish portal or from the oembed API, then that is outside of Twitter’s control. One approach to this issue might be to have any site or CMS updates peer-reviewed before deployment to production. We’ve used systems like Gerrit and Phabricator to ensure that any site changes receive a +1 “ship it!” confirmation to avoid an individual user making a breaking change.
