Or sending Content-Security-Policy: script-src 'none' for everything that isn’t intended to be a document. Or both.

IMO it’s too bad that suborigins never landed. It would be nice if Discord’s mintlify route could set something like Suborigin: mintlify, thus limiting the blast radius to the mintlify section.