Along with T3951, I think there needs to be another split of swh-web: currently, it is used for both:
1. browsing (highly-untrusted) content of the archive
2. administrative stuff (save code now, add-forge ticketing, deposit, mailmaps)
This means XSS vulnerabilities in the former can grant attackers access to the latter, because they are on the same domain (shared cookies and sessions).
T4028 would make it harder to exploit this kind, but it is still a large attack surface.
See D7323 and D1322 for examples of such vulnerabilities, which would have had negligeable impact if privileged UIs were on a separate domain.
(Note that, of course, issues like D1433 and D7454 would not be mitigated by this; because they happen within administrative UIs)