For reference the warning displayed in the getting started page is this:
Do not compile untrusted code with webpack. It could lead to execution
of malicious code on your computer, remote servers, or in the Web
browsers of the end users of your application.
There are 2 ways it can execute code, when being compiled (via loaders), and when being run. SSR would be the latter, if you compile code on your server the former. https://webpack.js.org/concepts/loaders/#inline allows you to specify a loader without it being in the webpack config, and loaders can run whatever they want.
A script that is being webpacked (and any script it includes) can run code when it is packed, and this is by design.
The trick is to abuse the “Magic Comments” feature documented here.
Just checked on current webpack 5.23.0 and this still works.
Apparently inline loaders are another abuse pathway. See: https://github.com/webpack/webpack/issues/10231