First of all, I would not say that this was "secretly" added as some of your links suggests: this was clearly indicated in the logs and in the commit history, which I happen to read both regularly 😀 See also this article from ArsTechnica.
But the Raspberry Foundation should have maybe communicated more and/or better…
As for the MoodleBox: there's absolutely no consequence, since no Microsoft software is installed, unless the user asks for it, and there's no risk some other software can overwrite legitimate software, since the repository has been given a low priority (see this commit). Moreover, there's no "phone home" to MS. So you should not worry too much IMHO.
Anyway, since MoodleBox is a headless system and VScode is not needed on it, the address and the GPG key of the MS repo won't be present in future versions of the MoodleBox image (just like in all the previous images).
PS. One can remove manually the key and address from any Pi by entering this command in your MoodleBox (at your own risk, don't blame me if you brick your system):
rm -f /etc/apt/sources.list.d/vscode.list /etc/apt/trusted.gpg.d/microsoft.gpg