I put together this module to override those services (both the xss filter and the relative url filter, as both strip an existing cdata tag) and add in a check for cdata sections: https://www.drupal.org/project/rss_trust_cdata →
You can use that module or check the source to see how it was implemented in order to write your own.
I still think this core service should include some ability to trust content or just opt out of rewriting, but as nicxvan said, overriding the core services will work for now.
Is there a way to avoid this xss filter? If we're constructing an rss feed whose content we trust, then there should be a way for that content to survive this event subscriber. I would've assumed that wrapping the trusted content in its own CDATA during rendering would've worked, but this new event subscriber doesn't check for existing cdata, and just filters everything without prejudice.
The issue seems to be that it removed a `!` from the line declaring $optimize_js, so now js is only optimized in maintenance mode. #3373328 was focused on the css aggregation, so its understandable that the missing exclamation point for js optimization would be overlooked.
Is there a d10 version of this patch? We'd been using !2980 on a D9 site and are trying to upgrade to D10. !204 looks like its set for D10.1, but for some reason that MR has over a thousand commits, most of which don't seem related.