GitLab

On Debian 11 the default loader was already equivalent to safe loader because Debian patched out the extra python classes that default loader could load to fix CVE-2020-14343.

It looks like originally the default un-safe loader was used to load OrderedDict that preserves the order of dictionaries keys. However, since Python 3.6 the dictionaries are ordered by default.

This means that the safe loader could be used everywhere. This would prevent any future vulnerabilities that could arise from loading custom python classes.