It's possible to execute anything with superadmin right through comments and async macro

That means that if you use the async macro in a restricted context, its content is itself not going to be restricted.

To reproduce, add a comment with the following content:

{{async}}
{{velocity}}velocity{{/velocity}}
{{/async}}

Expected result:

An error just like when you use the velocity macro alone.

Actual result:

The velocity is executed.