Is there anything Electrobun does to prevent XSS vulnerabilities? The docs actively promote setting .innerHTML, without any warning regarding concatenating user input.

What can it do? The only thing that prevents that is the programmer knowing what kinds of inputs they're dealing with and making sure unsafe input is properly escaped into safe input when the context calls for escaped input. There's no getting around this.