I absolutely love your thinking. What you propose does is defang the programmability aspect into an inert (but safer) "text-based" form.
But which side should assume the responsibility of this JS-defanging effort into text-based? Client or server? Postal said "be liberal in what you receive and conservative in what you send". So, being conservative (in this respect), server has to be minimalistic (including denial of programmability).
Real problem remains, too much accessibility of programming is being made available to let client-side take it in ... in a gullible way.
And no amount of Sideshow Barker (not a dig on HN's Sideshow Barker) can fix this, until one of the MAANG decides "enough".
