Since an entire application built on blockstack runs on the client’s computer (no app specific backend), how do we validate inputs without worrying about client side Javascript injection?

I was exposed to blockstack only a week ago and I’ve been reading a lot about the platform since then. Please correct me if any of my assumptions are wrong.

I have recently started learning about blockstack and I am curious about the answer to this question too. How does one create a secure sandbox inside an unsecure environment like client side JS?

The user’s Web browser itself is the sandbox. Recall that Blockstack applications do not have access to the user’s identity wallet or private keys. Instead, they receive an app-specific private key (a hardened child of their identity key). This means that at worst, apps can only hurt themselves—they can’t access other apps’ data or the user’s secrets.