That happens when you are run debugging/publish container or if users come to your site with disabled js. (some bots)
Usually, we use allow list permission on Facebook and allow only needed domains.
Also, as an option, you can prevent triggering these requests. Use the following video as an explanation: What is gtm-msr.appspot.com and how can I get rid of it? - YouTube