uses a modern Notebook which is QubesOS certified and runs coreboot

I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.

But I did not ever create a Lemmy like project, that is true.

The reason it’s perceived that way is because code injection in user input, is (one of) the most obvious, well-known, and easiest attacks to do, while at the same time being super easy to prevent.