Not true, if XSS is used to compromise an admin user, the damage can be far more than what a seemingly harmless SQL injection that just reads extra columns from a table does.

This particular comment feels more like an over-concentration on trivialities rather than refutation or critique of opinion.