The problem we tried to solve with Opa was more general than RSC, probably too general.

    // Opa decides
    function client_or_server (x, y) { ... }
    // Client-side
    client function client_function(x, y) {= }
    // Server-side
    server function server_function(x, y) {... }

Without the optional side inference (which could also use both), it seems we had similar side constraints, and serializers/sanitizers. Probably with the same flaws as the recent vulnerabilities... Like all the OWASP AppSec circa 2013-2015 range of exploits in browser countermeasures when the browsers where starting to roll out defense in depth with string matching :)