JS not allowed on the character sheet?

After forking the github repository just now to look into possibly modifying the wonderful 5E shaped character sheet for my own devices, I was surprised by the size of it and thought "Why is there no model binding going on?" After reading the wiki I saw that there is no js allowed on the Character Sheet. Can I ask why? Javascript is the lingua franca of coding for Roll20, so why does the code stop there?

Because opening up JS exposes potential vulnerabilities. The API scripts run on a separate server and have no direct access to the user's client. If we could embed JS into a character sheet, it would by necessity be client-side, and it would be rather difficult to prevent such a script from gaining client window access, which allows for Bad Things™. As character sheets are just a beautification of the attributes system already in place plus roll buttons which can execute any macro (including call API scripts), however, you can write an API script to interact with your sheet through those two mediums.

Hrmm, that's interesting. Maybe allow a sanitized model that can be bound on the server side via Express or whatever sits on top of node and serves the character sheet.