Trustworthiness of client-side code imported from server module?

I know that client-side code must considered untrustworthy, insofar as one cannot assume client calls to server functions are not malicious, since client-side code can be modified. (So, validation must occur both client-side and server-side.)

But I’m less certain about any implications for server-side importing of client-side code. Is doing this in any way unsafe? My initial guess was it was fine to do so, given that it’s how we’re supposed to implement Portable Classes per the documentation.

However, I figured I’d doublecheck that I’m not making dangerous assumptions. Are there any implications for server-side imports of client code that we need to consider? In particular, is there any circumstance (either common or edge case) where such an import could be tainted by a malicious end-user? Can one, for example, place a dict used for validation in a client module, and import it from server code without fear that it might be modified?

My apologies if this is described in the documentation and I missed it. If so, please let me know where I need to start reading.

Best, Dan

After Client-side code is loaded into browser memory, from the master copy in your Anvil app, the browser’s in-memory copy can be inspected and modified by a malicious user. So that copy can’t be fully trusted.

But they can’t save their hacked-up version back into your Anvil app. So it’s not the original copy of the code we need to worry about. It’s just the mucked-with copy in that user’s browser.

As I understand it, the Server has no access to this modified copy. When the Server loads a Portable Class definition, or any other code, it loads it from your App’s original copy, securely kept within Anvil’s servers.