That seems wildly naive in the post-XSS era. We've been here before, and that kind of analysis turns out to be wrong almost every time.

"Well, sure, this component is insecure but an attacker can't reach it" is like a 50%+ positive signal for an unexpected privilege elevation bug.