Does having a script in a fragment qualify as a potential XSS vulnerability?

Issue

We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)">
Can that be a vulnerability to Cross Site Scripting (XSS)?

This is the intended behavior, as having scripts in a fragment HTML is a valid use case.
The HTML fragment does not provide any out-of-the-box sanitization, since we expect users to allow only advanced roles to use it, and they can restrict its access by configuring the Master page to not allow its usage. Any fragment admin can write any kind of Javascript in the fragment’s JS field and these scripts are not injected by malicious parties, but by admins to provide functionality to their site
Nevertheless, we provide:
- The possibility to escape fragment text values, explained here: Escaping Fragment Configuration Text Values (I also found a related article: Can we prevent editors from injecting executable code in Web Content fields?)
- SanitizerUtil, for users to implement their own sanitization rules.