I don’t think the requirement is very strong, but if the complexity is manageable, defense in depth](en.wikipedia.org/wiki/Defense_indepth(computing)) ) is always a reasonable idea.
Next.js on itself has many security benefits built in:
- The focus on JAMStack ensures that most of your code runs on the secure sandbox of the browser’s client. The pages downloaded from the edge is the same for every user, and as such, the security surface is reduced. i.e.: If you don't opt-in to server-rendering through getServerSideProps you're serving static files to users.
- React has excellent built-in protections for XSS, as evidenced by the verbose dangerouslySetInnerHtml – this is in stark contrast to the jQuery model, which popularized direct HTML and DOM manipulation of attributes and nodes.
- When using API pages deployed as serverless functions, each request runs in an independent VM context not shared by any other request concurrently, and the underlying containers are recycled frequently. Again, the attack surface is massively reduced.
From an engineering perspective, we also have a security e2e test suite that we continuously run to ensure all the common attack patterns are considered.