I typically send content through rdrview[0] before piping through w3m-sandbox[1], which should be pretty safe. I also only browse one site per w3m instance.
[0]: https://github.com/eafer/rdrview
[1]: https://git.sr.ht/~seirdy/bwrap-scripts/tree/trunk/item/w3m-...