Security of Frontends (and of safe browsing more generally)

I would like to use Frontends such as Invidious, Teddit, Tubo and espiecially the extension Libredirect which automatically connects to Frontends. But I am deterred by the lack of information on how trustworthy these are.

The way in which there are dozens of different “instances” reminds me of movie piracy sites which I always believed would somehow damage my system with malware or make me easy to hack. I don’t know how rational this concern is, as I don’t have the knowledge to know what the risks of using websites of the sort could possibly be.

I am using these Frontends via Browser instead of download for the same reason of exercising caution with things I do not understand. But I read somewhere (this website I was convinced, but could not find since), that downloading applications is better than browsing for security/privacy - but it seems like downloading things is the last thing an ignorant web user should be doing.

Security risks in this case would come from the software itself, not the instances. The reason there are multiple instances is because it can be self-hosted and is thus somewhat decentralized. Instances can even talk to eachother to evade geoblocking using [matrix]

My primary concerns regarding security would generally be XSS — Cross Site Scripting. As it loads content from other websites, an XSS exploit that exists on the frontend could be exploited by content posted. The chance of this is low as usually people report XSS vulns + there is nearly no reason to target frontends in your post, but the ability is technically there and the team is smaller which is why it may be checked less extensively.

I see, I guess my concern would be that an instance uses software which is not identical to the other instances, but has something malicious sneaked into it.

By cross scripting, are you referring to frontends in general, or the re-directs in general. If frontends in general, I don’t understand how content posting on say Youtube or Reddit could be used to exploit. But maybe I’m misunderstanding what you mean by “frontends could be exploited by content posted”?

(by example of Invidious/Piped)
XSS in this case can be summarized to something malicious being in the description of a video or a comment that would lead to Invidious or Piped to execute a piece of code from merely loading it.

Of course this is BAD for anyone trying to use these frontends, it’s a security vulnerability.

(to be clear, I use some terms so rarely that I often confuse them, so what I’m talking about may not actually be called XSS and I apologize for that, should it happen.)