Unfiltered theme settings fields?

It has been recommended to me in previous questions I’ve asked about using non-WPMUdev themes, to remove certain fields from any themes you use in your network due to security risks. Obviously, we don’t want areas where users can inject and run code in their themes.

As a novice, I’m not sure if I can confidently identify what these areas are. I mean comment fields are ok, text widgets are ok, but what are examples of fields that should be removed from themes before using on your network.

Any advice is appreciated.