The script to generate that JSON is code. Jsonnet also generates JSON. So his script is filling the same role as Jsonnet would. The point stands.

He might trust his code, but I was highlighting reasons why this is not true everywhere, and indeed the ability to evaluate untrusted code can open up previously unavailable avenues. For example, storing server-side Jsonnet that can be safely evaluated by a multitenant backend.