Lightning Locker is enabled for all custom Lightning web components. LWC uses Lightning Locker, a powerful security architecture for Lightning components that enhances security by isolating Lightning components in separate namespaces. 

2. LWC offers its own built-in security features, such as sanitization of malformed HTML code and blocking Content Security Policy (CSP)-incompatible code.

To import a third-party JavaScript or CSS library, use the platformResourceLoader module.

As part of our CSP implementation, LWC applications inside of Salesforce are blocked from loading an inline script, or calling a script from a template error or event handler. 

To aid developers with building complex applications on the Salesforce ecosystem, dynamic script evaluation through eval() is enabled.

In order to add third-party APIs to an allowlist, you must first add them to CSP Trusted Sites. This option can be found under Setup in your Salesforce org.

Trailhead – https://trailhead.salesforce.com/content/learn/modules/secure-clientside-development