Toolbar restore feature can be used to obtain unobtainable items

Dragon eggs can still be obtained with a bit more effort, command blocks cant be used if not opped, probably WAI

What about monster spawners, say on a superflat world? Or barrier blocks?
I think that even if there weren't blocks such as these, this is still a bug because in the future there may be more blocks
that can't be obtained from the menu.

What if someone removed the only dragon egg?

I definitely don't think this is WAI. Even if these examples I just listed weren't available (leaving command blocks and the like), I still think this is a bug since Minecraft should be able to tell which blocks you should and shouldn't be able to get from the creative menu.

I don't think it's WAI, either. Barriers should not be obtainable and monster spawners even more. (Cause they could lag the world or just be cheaty. Also they are not obtainable by normal creative mode.)

This is a security issue, the hotbar save and restore function as it currently is assumes that if a player is in creative it has certain level of trust in that server over normal players, which is not the case in creative servers where players being in creative mode is the standard. A malicious player could use this to create an item with malformed NBT tags, then login into a creative server, spawn that item and crash the server. Such a malformed item would otherwise be unobtainable without specific permissions (like /give), but it is now possible for any player in creative due to how the saved toolbars work.

Please see https://bugs.mojang.com/browse/MC-145752 for my input on how to solve this implementation wise.

all those things require the player to be an operator for their data to be copied when placed

@kerran @StrongSand94191

While that is true, if command blocks are turned off, a player can use saved command signs to get commands longer than possible in chat, which is most likely a bug

This is very likely to be WAI because the toolbars purpose is to save the current toolbar and have you be able to load it. This does mean non-inventory obtainable items. In single player this is definitely working as intended because you can always obtain them in single player.

Now for multiplayer it is a bit more complicated if you are OP it would work the same as in single player as you could obtain them but if you wouldn't be OP things like command blocks, commandblock minecarts, commands on signs and commands on books.

Everything else would be normal as some of them can be obtained without commands like dragon eggs. Also allowing custom enchantments, custom books, custom player heads would not impact the server harmfully and are useful features for many building servers.

Now the fact that commands on books, commands on signs, command blocks and commandblock minecarts can be brought from the toolbar on a multiplayer server with no OP permission is a bug and should be fixed.

Issue still remains and is the absolute nightmare for any creative server. People are bringing in items with NBT tags that are so big they make other players crash and get autokicked, resulting in them being kicked again every time they log in, so basically a way to ban any player you want off a server without having op permissions.
People can bring in highly enchanted tools that can even kill players who are in creative mode.
People can bring in fireworks that last up to minutes, crashing anyone with minimal pc's.

Please mojang, just add a gamerule to the game that is /gamerule loadsavedtoolbars true/false, it will make creative server owners finally able to not have to fear for the well-being of their server every day.

This is intended. I always save my command block as a hotbar to not have to use a command to get it.