First of all - one can configure it - second: it should not be installed (or if installed not be activated) by default - thats the downside of installing meta-packages and/or recommends. So there are two ways to prevent this:
a) find the package which throw in the unattended things and fix it (if unattended-upgrades are a dependency)
b) find the package and if unattended-upgrades are only recommended - forbid the installation in the iso
I installed a fresh install of Patience and unattended-upgrades was installed by default in a vm. Doing 'apt remove unattended-upgrades' simply removes the package and nothing else.
Now that said doing some digging I found that the apt-daily.service, apt-daily.timer, apt-daily-upgrade.service, and apt-daily-upgrade.timer are installed with apt. pt-daily-upgrade.service, and apt-daily-upgrade.timer are also part of the unattended-upgrades package as well.
Now on my desktop because I don't mind the apt-daily.timer I disabled and masked the apt-daily-upgrade.timer and removed the unattended-upgrades package.
systemctl stop apt-daily-upgrade.timer
systemctl disable apt-daily-upgrade.timer
systemctl mask apt-daily-upgrade.service
systemctl daemon-reload
As an FYI the mask apt-daily-upgrade.service is done to link the service to /dev/null, even if a service/timer is disabled if its a depencency of another service it could still be started. Masking it ensures it would accidentily upgrade your system without your permission.