By "unsecure JS" they usually mean the fact that clientside javascript can make XHR requests to clearnet servers that try to impersonate you. It was historically an attack vector during the early days of I2P when the recommended way to use it was FoxyProxy which was installed in your normal browser and only routed through your 4444 links ending with "*.i2p". This setup was unsecure as fuck because clearnet XHR requests from i2p page weren't routed through i2p and thus revealed your real IP address. I think those days are long gone and people mostly don't use I2P like that. I personally use "multi-account containers" Firefox extension and everything within I2P container is required to route through 4444 even if it's XHR to clearnet. Average users probably use a dedicated browser or run it within Tor browser. And even then, if you still consider clientside JS to be unsecure, in case of tech like NextJS when you can have purely serverside JS, it's no different from PHP. Idk about Nuxt, but I assume you can also have 100% SSR there.