Since client side code is NEVER secure, to what purpose would generating it client-side even serve except to CREATE a security hole?
This isn't even a question you should be asking! You don't generate this stuff client side since any grade school script kiddie with greasemonkey or tampermonkey installed can slap around your JavaScript like a whore that's not paying out a full cut to her pimp.
Client side code IS NOT SECURE, so it really doesn't matter how random whatever you generate is, it's USELESS.