From the Angular security guide there's this:
The built-in browser DOM APIs don't automatically protect you from security vulnerabilities. For example,
document, the node available through ElementRef, and many third-party APIs contain unsafe methods. Avoid directly interacting with the DOM and instead use Angular templates where possible.
'interacting' is a bit vague. I've sort of assumed that reading values from the DOM is safe. And indeed, all the examples on the page are involving content being inserted into the DOM. But it doesn't explicitly say that reading values can be dangerous. My primary use of ElementRef has been to read values, as that is highly useful for certain things, like a solution I have in mind for this question, where I might be able to inspect parent elements to switch modes in a component:
stackoverflow.com/questions/50862334/how-to-know-if-component-is-populated-by-a-route-or-by-template-in-angular-2
In addition, Renderer2 provides functionality for inserting content, but has no features facilitating reading content.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 老娘就宠你 的文章《Angular 2+ security: Is it safe to *read* values f》','https://www.manongdao.com/article-929762.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}