I have no idea how naive this question is... but here goes.

Some privacy-conscious users disable JS, or use NoScript to selectively enable JS. My understanding is that this is (1) because JS engines are often themselves a source of vulnerabilities, (2) untrusted code execution might be risky in the face of speculation execution/access attacks.

Do such users need to worry about either, or both, with such advanced, compute-y CSS primitives?