Is this just a specific case of the general one?
More generally “TiddlyWiki is unable to Support JavaScript without it being installed (as a tiddlywiki module), saved and reloaded”.
- So unless someone can save the wiki back to the host/server, they cannot “inject code”.