You should disable SCE if you are 100% sure that all application bindings (HTML, URL ...) are safe. For example, if an application always sanitizes user logins either on the server or in front of the client, then the additional ceremony applied by SCE may be required.

However, very rarely you can be 100% sure that all values ​​are safe, especially when the application is growing and encoded by many developers. Enabling SCE provides that the application can only use values ​​that are explicitly marked as reliable using one of the $sce.trustAsXXX methods.

For example, if you use ngBindHtml to render some HTML, AngularJS throws an error unless the scope variable assigned by ngBindHtml is wrapped in $sce.trustAsHtml . A similar application occurs when you set the templateUrl route or directive. This makes the application more secure with the error, which gives you the opportunity to check every place where the error occurs and decide whether to trust or fix it.

Finally, if you enable ngSanitize or implement the $sanitize service, then you do not need to disable SCE to use untrusted HTML values, since AngularJS will simply sanitize untrusted entries using the $sanitize service. Similarly, if the URL of the template shares the beginning as an application, there is no need to explicitly wrap it.