Potential insecure practice?

Currently the operator may create clusterrolebinding upon requests from namespace-scoped CR. That may enable a namespace-scoped user to elevate privileges? Do we need webhook/cel for better authorization?