So your example is flawed, since Windows is rotten from the inside already.
JS in youtube-dl is used to get the video's ID.
How? We don't know exactly yet.
JS is problematic because:
- it gathers my data
- it can be executed on my PC, most likely to gather data anyway (regarding
youtube)
JS is problematic if:
- it's proprietary (no access to what it really does)
- it's executed without limits.
Sandboxing can matter regarding the last point.
For example, simply firejailing youtube-dl should work to limit how much of
my PC this program has access to.
Then there's the matter of linking my IP to whatever I'm watching/listening.
In theory, this only possible through TOR, using a convoluted process
(download from the link I get from TOR, but only read the file when TOR is
turned off).
But maybe a VPN is enough (even if it's not de-anonymizing) because why go
through the effort of inspecting further if it costs too much ressources.
Disclaimer: my reasoning probably isn't without flaws.