In https://phabricator.wikimedia.org/T197842#5895911 it is proposed to make texvcjs only a plain sanity check, that does not modify the LaTeX + mhchem input in any way before passing it to the rendering engine.
Currently, there is no consensus if
- that's secure enough and
- if this implies additional hardware costs due to missing unification.