don't think that's a bad idea. probably any decent web framework just with html/css would probably be fine. http://terminus.i2p does this with php/html/css, it's source is on http://git.simp.i2p/fuzzykitten/dev_endboard. i've used flask a lot for some things like http://git.simp.i2p/simp/i2music. there's a rust based wsgi/asgi server granian that offers better performance over the normal gunicorn/uvicorn, also some good web frameworks in rust too though not as mature as many of the standard options. there's vulnerability scanners active in i2p even if you don't publish it to a registrar just to keep in mind, i'm always a little concerned about which endpoints are exposed and how they'd be abused

By "unsecure JS" they usually mean the fact that clientside javascript can make XHR requests to clearnet servers that try to impersonate you. It was historically an attack vector during the early days of I2P when the recommended way to use it was FoxyProxy which was installed in your normal browser and only routed through your 4444 links ending with "*.i2p". This setup was unsecure as fuck because clearnet XHR requests from i2p page weren't routed through i2p and thus revealed your real IP address. I think those days are long gone and people mostly don't use I2P like that. I personally use "multi-account containers" Firefox extension and everything within I2P container is required to route through 4444 even if it's XHR to clearnet. Average users probably use a dedicated browser or run it within Tor browser. And even then, if you still consider clientside JS to be unsecure, in case of tech like NextJS when you can have purely serverside JS, it's no different from PHP. Idk about Nuxt, but I assume you can also have 100% SSR there.