Are those expressions evaluated by JavaScript or is there proper isolation from the browser context? I.e. can I safely embed a user-generated Vega plot or is that XSS?

edit: Found the docs: https://vega.github.io/vega/usage/interpreter/ They do have security features, and even a AST-based interpreter