_Code Injection_ requires a Business plan or higher.
The snippet runs on all public pages. Squarespace checkout pages (on secure.squarespace.com) live on a separate domain and don't receive the snippet — that's expected, and also the reason Squarespace doesn't capture e-commerce conversions without a native integration.
Squarespace admin views aren't tracked: the snippet only loads for anonymous visitors — your editor sessions don't show up (as long as you stay logged into squarespace.com).