It's clear from that bug tracker that you shouldn't let libxlst see untrusted stylesheets or xpath expressions.

I haven't yet seen a problem with running your own transformations against untrusted XML.

Maybe a new maintainer could aim to make the second case fully supported but not the first.