In a recent update, the Raspberry Pi Foundation installed a Microsoft apt repository on all machines running Raspberry Pi OS (previously known as Raspbian) without the administrator’s knowledge.
Officially it’s because they endorse Microsoft’s IDE (!), but you’ll get it even if you installed from a light image and use your Pi headless without a GUI. This means that every time you do “apt update” on your Pi you are pinging a Microsoft server.
They also install Microsoft’s GPG key used to sign packages from that repository. This can potentially lead to a scenario where an update pulls a dependency from Microsoft’s repo and that package would be automatically trusted by the system.
I switched all my Pi’s to vanilla Debian but there are other alternatives too. Check the /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d folders of your Pi’s and decide for yourself.