Not the discussion, but SPAs are fundamentally safer against XSS, in the sense that data and code have different paths.