Documentation should clarify that server state is not automatically per-request

Describe the bug

External variables, stores and other states processed during Load functions will keep in memory references that will remain upon all visitors of the website that is handled by the same server node instance.

This happens with “svelte-kit dev” “svelte-kit preview” and in production, at least tested in Netlify.

I think this issue comes from the assumption than node SSR is running clean on each instance.

To Reproduce Use this basic demo repo https://github.com/Egnus/sveltekit-bug-server-XSS-repro

run npm run dev and go to localhost:3000/todos. There is a further red text block explaining what happens there

reload the page several times, and notice how the counter stays with 1 in browser but keeps growing in the Server, which is also accessible by the visitor by viewing source code or disabling Javascript so the hydratation doesn’t fix the XSS issue

Use several browsers and incognito mode to find the same values shared for all users. An experienced hacker could get access to others data by accesing those values on memory.

Expected behavior SSR runs clean in every call. (ideal safe option) forced by the sveltekit boot. OR Documentation could clearly states this issues and how to protect from XSS during Load.

Information about your SvelteKit Installation: This is happening with the latest version of SvelteKit

Severity Very severe since this is not mentioned in the documentation: https://kit.svelte.dev/docs#loading-input-context and also there is no clear mention of this memory between calls anywhere.