hi! jsreport is a dev tool, so it is not practical to put a lot of efforts into disabling every feature just for security reasons, instead the security is handled in your application. you should treat jsreport just like some other dev technology like docker. so in other words you should not expose full features of such dev tool to end users, instead you create a proxy in front (your own app) with just some basic and safe options to send. for example all users of your app should use your app directly to generate reports not jsreport directly, so you can control how many features of jsreport your end users can use in the end, with that in mind is very easy to control that your users should not be able to send scripts, that control should exists in your app depending on how much permissive you want to be.
about the http api/OData api is easy too, just make jsreport a local service, not exposed to the public, so you should not be able to connect to it using some public ip, if you need communication between your app and jsreport just use a VPN or a point to a local ip and port in case jsreport in hosted in the same server.
as you can see the security topics are just the same that you would do with any other dev tool that you want to expose to end users.