Part of RSC is the ability to have each component fetch their own data on the server, or at build time. Meaning you can use this part for static pages, offline apps, etc. But that part is unrelated to this vulnerability.
I already feel this with an app that only serves a few thousand people. Even with the paranoia I managed to mess up the updater once, a year+ later and still have people who haven't updated from that version.
Always good to have a few redundant systems to help with this. Minimum being some way to push alerts to specific versions.
Doesn't sound very smart to iframe to some unknown third party that could be compromised. But their implementation is pretty simple, can easily be copied and implemented on your own domain.
Their example doesn't even seem to work on mobile at least (just iframes the homepage itself), which doesn't really inspire confidence.
catch_unwind doesn't catch all panics. I imagine that running a thread would actually catch all panics, but I don't know enough about the subject to say that confidently.
I'm currently suffering the pains of developing a Tauri app that relies on the system WebView (which is the default for Tauri). It's unreliable (especially on Windows where people love to mess around and run "debloat" scripts), and causes slight differences on each platform. Tauri lets you bundle the WebView, but this causes the installer to grow like 150 MB. I presume this alternative would be a lot smaller.