Sorry to be a buzzkill but I can answer any question about this right now - You will not be able to do this kind of js twiddling long term and you should not rely on it because we will for sure for security and application stability reasons be sandboxing any kind of code evaluation.
The reason you have it now is not because we need an appsec auditor to tell us about basic owasp recommendations like CSP (though we do of course have that) it’s that we’ll be adding an execution sandbox and factoring out anything that’s allowing execution without breaking basic things you do need to do in expressions. So have your fun while it lasts but we do not recommend doing anything in an expression besides evaluating a boolean expression with the data that we hand you access to from the dataviews or it is almost certainly going to be blocked by our sandbox later. Expect that your expressions will run in a different browser context entirely actually.