no real gotchas. JS is slightly dangerous because of JS, yes. You should never fetch things at runtime to execute if possible - instead, you install absolutely everything you need with npm or bun, and it gets inlined at build time

electrobun ships with an RPC (i think it also does some encryption?) so as long as you use that to communicate between your webview and bun "host process" you should be safe.