By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the Trusted Content permission to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display.
BUT - even with enabletrusttext disabled - users with a capability defined with XSS flag can upload content that is not filtered (This is not enforced in code - but is a policy devs apply when deciding if they can use the noclean option for format_text).
E.g. module intros (like a label). There is no definitive list of these places.