Whilst the raw directives are controlled by the "raw_enabled" enabled option the roles aren't. Thus if someone makes use of rst on a website an attacker could use a custom role to enter arbitrary text into a page.
Here's an example:
.. role:: unsafe_raw(raw)
:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`
A patch is attached which adds a check to see if raw_enabled is allowed in the raw_role