It has been used in applications that have been security tested.
The module itself doesn’t use the JavaScript parser at all and has no mechanism for making JavaScript calls from within the DTL expressions. This is by design and part of DTLs original requirements was to prevent arbitrary code execution, and great care has been taken to maintain that safety.
That said, it carries the same risk as using any publicly available js module, and you should definitely investigate yourself and not take my word for it.
The module itself doesn’t use the JavaScript parser at all and has no mechanism for making JavaScript calls from within the DTL expressions. This is by design and part of DTLs original requirements was to prevent arbitrary code execution, and great care has been taken to maintain that safety.
That said, it carries the same risk as using any publicly available js module, and you should definitely investigate yourself and not take my word for it.