Using macros when a function would do is a legit anti-pattern (and documented as such [1]) but unrelated to the security aspect as they are compile-time constructs.

The reason they were added to the language was precisely so meta and dynamic programming is done at compile time, which you can introspect before you deploy, versus doing it at runtime, which is how most dynamic languages tackle this. And those languages are most likely not using eval either, but intrinsic features that allow you to define classes, attributes, methods, and so on programmatically.

I’d say eval is discouraged in most languages, although it is useful for building things like REPLs and interactive environments.

[1]: https://hexdocs.pm/elixir/macro-anti-patterns.html#unnecessa...