alt Hacker NewsNext.js has introduced some keywords such as 'use server' and 'use client' that you enter in the file at the top. Much like 'use strict'. If you attempt to use server code in a client file for example, it will get caught by the ts compiler / Linter.
But for sure the lack of clear lines for where the server ends and the client begins has always been a pain of these kinds of framework offerings.
Not just accidental inclusion but intentional insecure inclusion. FE developer gets a BE ticket (because why not that's the whole point right?) and forces something through all proper-channels leading to trusted (server) code running on the client.