Kind of. It's sort of a priority/trade off thing. Basic XSS can be easily mitigated, but the nature of nostr clients is that they're always fetching unknown and untrusted data from servers (relays) and it's often not a priority of the developer (or their AI vibe sessions) to consider the "what could happen if".