Agreed, you often dig into what it built and find something insanely over engineered or something that doesn’t match the “style” of your existing code.
In this case that‘s actually a security vulnerability, I‘ve also seen a case where it built an api with auth but added a route where anyone could just PUT a new API key into it. Sometimes its own code review catches these, sometimes it does not.