A real attacker would need to change the code snippet on google site. Which is, let's be honest, impossible.
However, you indeed need to be really careful with the code you copy/paste from Internet.
The scenario I am expecting here is for a website to be infected, such as a WordPress blog having a vulnerable plugin or outdated version.
Once the website is compromised, the attacker can change the analytics code and it would be really hard to detect.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.