I asked ChatGPT why it's discouraged to use inline event handlers like onclick, and here's what it gave me.

TL;DR

Inline on* attributes are discouraged today because:

• They break modern CSP and reopen XSS holes.

• They tangle behaviour into markup, hurting readability and reuse.

• They scale poorly (one handler, no delegation, global scope).

• They lose caching and optimization benefits of external scripts.

• Tooling and frameworks assume you aren’t using them, so you swim upstream.

Digging a bit deeper, I asked it to give me some examples of the security holes that they open up. The attack vector is dependent upon you executing user-supplied code. There is one scenario which seems like it could slip into production, but the other scenarios seem much much harder to happen, much less plausible, when you're using a library that generally sanitizes outputs like Rails.

UAI - A Missing Pattern in the web toolkit