Disallowing CSS on certain pages adds slight security (it becomes slightly more difficult to do an attack on those pages), but isn't worth the cost for the majority of projects (see listed issues on T73621). CSS should not be disallowed by default.

This is because if users are allowed access to the site css at all, even if the js-specific vector is fixed, they can still mess up everything besides these pages just fine, so still getting two vanilla pages isn't going to change a whole lot. Given that actually entirely fixing the potential js issues is a hard problem, however, consider what can be done with the API. The MediaWiki API allows most interface actions, and some others, to be taken. For example, if you're trying to steal a user's login, it'd be pretty easy to use js and the API to spoof the login form and get their info that way (and even log them in in the process). Just replace every link on the site to special:userlogin with something that looks similar and then write that page to be the login form, with a few slight modifications.

And once they're already logged in, well, there's no end to what you could do then.

Everyone's best option is to just be careful who and what you let near the site css in the first place.