Blazor Server JsInterops and DotNetReference: How much vulnerable does the system become?

Question

I was reading this article on the microsoft docs https://docs.microsoft.com/en-us/aspnet/core/blazor/security/server/threat-mitigation?view=aspnetcore-6.0 and I was wondering if a malicious user could just change for example an object that I pass from javascript to Blazor where I deserialize it but instead make it execute a very bad command like formatting the machine or calling .Net functions on singleton services that are injected in the Blazor component. I need to call js and .net back and forth because I'm using a js library to display graphs and other stuff that is interactive and exchange objects. I'm just a junior so I don't know if i would annoying my superiors by showing them these concerns since we aren't working for a big public. I don't take strings from js that I then pass to the database for query, absolutely not. But I dont know how much can an injected malicious object make itself call c# code once deserialized in the Blazor component, other than causing an exception on their own browser.