It's a bit surprising they did that, to be honest. I work at a similarly-sized, HN-popular tech company and our security team is very strict about less-trusted (third party!!) code running on another domain, or a subdomain at the very least, with strict CSP and similar.

But in the age of AI, it seems like chasing the popular thing takes precedence to good practices.

Thanks for this comment tick_tock :)

After reading this, I did some research and learned a lot. I never really considered that, by including many things under the same domain, that you're increasing your blast radius w.r.t security vulernabilites. Thanks for that

But then you have to be able to trust that the other domain is actually operated by Discord and isn't some social engineering front.

This is what it really comes down to. Browsers are built around origins as the major security boundary. When you use a separate origin, safety comes for free.