It's definitely dangerous.

Do you have credentials anywhere within reach of that session? Can you open your bank account in a browser ... within reach of that session? Are your contacts available within reach of that session? What about personal notes/emails/goals or other sensitive information? That people think these can't be added together in one very socially/monetarily destructive fell swoop is ... telling.

Ignoring obvious bad-actor concerns from just giving root to your whole life to an LLM running on someone else's server, LLMs themselves can act in ways that are extremely counterproductive to their organization/host/etc.

A quote/warning I learned in the late 90s is just as relevant today, "Computers make very fast, very accurate mistakes."

Emacs has full system access with arbitrary execution so full emacs access -> full system access.