BrowserPolicy.content.disallowEval() prevents $where in client mongo query?

Have a situation, where we are improving security headers to our app, and noticed an interesting situation:
if I add the following policy:

import { BrowserPolicy } from 'meteor/browser-policy-common';
import { Meteor } from 'meteor/meteor';

Meteor.startup(() => {

It prevents usage of $where on our Meteor collections client-side, like:

Collection.find({ $where: 'this.a > this.b' }).fetch()

Of course, we can achieve the same effect as above on the client side by refactoring to this:

Collection.find().fetch().filter(item => item.a > item.b)

But since we have a convention, of using a helper to construct the same query both client-side and server-side for a reliable result, that would ensure a lot of refactoring and poorer code quality IMO. Also find it peculiar, that Meteor.Collection would be shipped with such a vulnerability if the BrowserPolicy is correct. Does anyone have experience with this and can weigh in? Thanks! :slightly_smiling_face:

Trying to understand your point on vulnerability. What kind of attack is Meteor.Collection vulnerable to?

Please read this (specifically chapter Disable JavaScript execution): Top 10 security best practices for MongoDB - Sqreen Blog

The topic is not Meteor related.

Issue described originates in MongoDB.