- Allow inserting of scripts in the head/body but only if the user is an admin and has significant trust
- Allow usage of the web editor and external editors
- Don't allow web posts to be updated by external editors
- Don't allow external posts to be updated by the web editor
Circumventing this would not do anything and the web editor wouldn't be able to parse it properly, which isn't an issue.
The server could also be provided with extra data such as header-includes: ["https://cdn.site/script.js"]. Other scripts can be provided directly in the source body. The server will either strip or keep these depending on the user's power level.
If the initial publisher of a post was an editor, then an admin can't add scripts to it.