In https://phabricator.wikimedia.org/T197842#5895911 it is proposed to make texvcjs only a plain sanity check, that does not modify the LaTeX + mhchem input in any way before passing it to the rendering engine.
Currently, there is no consensus if
that's secure enough
I am not sure what security implications you have in mind. MathJax cannot write to the hard-disk like good-old LaTeX could.
if this implies additional hardware costs due to missing unification.
My hypothesis: If you normalize spaces (remove spaces at the beginning and end, replace multiple spaces by a single one), you wouldn't have too many duplicates.
On the other hand, detecting that H+ and H^+ and H^{+} will render identically isn't done today, anyway (and would require a re-implementation of mhchem's parsing algorithm).
I would prefer texvcjs not to alter any input. But if that cannot be changed, please keep in mind that mhchem is just an input-to-LaTeX engine. So instead of user-input -> texvcjs -> (MathJax) -> mhchem -> MathJax, maybe user-input -> (texvcjs) -> mhchem -> texvcjs -> MathJax would make more sense, where texvcjs hands the content of all \ces to mhchem and then normalizes the resulting LaTeX. This could have further advantages like improved accessibility for chemistry-only formulas (when using mhchem's parsing results for that, instead of MathJax's).