I've had some luck with this idea of keeping the "Clauded" bits separate where possible. Do you really care if it crates a spaghetti mess if the result is some visually beautiful low trust site that lives in its own repo entirely? vs. letting it run in autoapprove mode inside a module where critical hand-written crypto code exists