I know from the Electron docs that external/remote content is not to be trusted and a good way of mitigating the risks associated with using this content is to turn nodeIntegration off, load into a webview, etc.
Do the warnings about external content apply to modules included in the app via npm, i.e., if I use any code I did not write I should enable the above controls? Or are these warnings more about loading a remote file via a script tag or dumping a web page to the app via a call to loadUrl?