When embedding anything, most notably Youtube videos, visitors may be tracked through embeds on load (especially from YouTube and Twitter). Since this is illegal in the EU and cannot be fixed with custom CSS + JS, please implement a two click solution for publish embeds.
To illustrate how it should behave, here’s a good solution to this problem for Wordpress: GitHub - epiphyt/embed-privacy: Embed Privacy prevents loading of embedded external content and allows your site visitors to opt-in.
This could be considered a bug as well, since it puts publish users at risk of getting sued, because they are responsible for the content, yet they cannot comply with GDPR except for removing all embeds. Also, not all users may be aware that a YouTube embed is a GDPR violation.
While this is boring, I cannot stress enough that breaking the GDPR is fun and games until you get caught. From that point forward, it’s quite expensive. Subjecting users to that risk is not a great practice.