Why is ObjectManager::getInstance in production code such a big deal?

It bypasses the entire DI container, which means: (1) plugins on the resolved class never fire — including security plugins from third-party modules; (2) the class can't be mocked for unit tests, so coverage drops; (3) preferences in etc/di.xml are ignored, so a customer who overrode the class gets the default instead. Adobe's EQP checklist auto-fails the PR. The only legal locations are Setup/Patch/ (no DI yet at install time), Test/Unit/ (mocking framework needs it), and Block/ if you literally have no choice (you do have a choice — use a ViewModel). Replace every call with constructor injection.