Using string literals with setTimeout() is similar to using eval() as it processes the string as code. If the username variable contains malicious code, it will be executed. Always use function references with setTimeout() instead: setTimeout(() => alert(`User ${username} logged in`), 1000). This ensures only your intended code is executed.