Most GCP users know that granting basic roles is a really bad practice, but you may be surprised to learn that the risk is much more serious than it might seem because basic roles actually grant far more than what appears on the permissions list (which is already excessive, of course).
For the owner role, we can assume that most project administrators are aware it includes the resourcemanager.projects.setIamPolicy permission which allows for straightforward privilege escalation and managing the risk accordingly. However, for Viewer or Editor, you could make the very reasonable assumption that even though the roles provide a wide set of permissions - spanning every resource type in a GCP project - at least they won’t allow anything else.