You can read WP’s take on disabling it here:
https://wordpress.org/support/article/hardening-wordpress/#disable-file-editing
So yes, allowing file edits in the Theme editor or limited to the Hook Element does impose a security risk to anyone with the ability to log-in to your site with Administrator rights. Disallowing it will not stop them from loading malicious code …
If this is a concern to you then you won’t be able to execute PHP in the Hook Element.
Instead you will need to write your own functions in your child themes functions.php – this article explains how to use hooks:
https://docs.generatepress.com/article/using-hooks/