I.e. disabling JS is all fine, but in the end it is just 'safer' and whether or not that is already 'particularily safe' is a rather subjective thing.

It isn't particularly safe compared to having JS disabled. RCE exploits, stealthy CSRFs, etc. that work with JS disabled are exceedingly rare compared their JS counterparts.

This is quantifiable, not "alarmist".

There are plenty of stealthy CSRFs that don't require javascript, but you probably meant stealthy XSS

I did not.