If you pre-populate JavaScript with sensitive information - say, you interpolate credentials as literals in your JavaScript code - an attacker will be able to read those credentials when a victim visits their site.
unsafe-interpolation.py
@app.route('/js/bundle.js') def javascript: """Don't ever do this!""" return render_template('js/bundle.js', INSERT_API_KEY_HERE=session.api_key)