In my use case, I just use content negotiation/headers to return xml, json, or HTML from the same URI. All of it comes from XSLT or xquery, sometimes Python in other projects. Doing it on the client side doesn’t really seem so necessary as it’s really simple to configure on this behavior on the backend once for all my functions.

Shallow FUD tactic ??

"The feature is often the source of significant security issues."

(how often ? - I see ONE potential security issue there, so long since a month ?)

"Browsers currently support a ~25 year old version of XSLT"

----

As usually, the programmer basically and ignoring Users Case for his reward ($ impedance mismatch), is saying that the later is better than the former as he likes to use some JS magic (..there is nothing going on?) - because then.. he can debug it (!):

  <xsl:template name="book">
  <div class="book">
    <img class="cover" src="{cover}" alt="" />
    <div class="book-info">
      <div>..
        <span class="author"><xsl:value-of select="../name" /></span>
      </div>..
    </div>
  </div>
  </xsl:template>


  [..]
  const bookHTML = (bookEl) => html`
  <div class="book">
    <img
      class="cover"
      src="${bookEl.querySelector(':scope > cover').textContent}"
      alt=""
    />
    <div class="book-info">
      <div>..
        <span class="author">
          ${bookEl.parentNode.querySelector(':scope > name').textContent}
        </span>
      </div>..
      </div>
  </div>
  `;
  [..]

(or no job for JavaScript Document Programmer)