Untouched DOMpurify
is accepted
ref: https://github.com/mozilla/amo-validator/blob/master/validator/testcases/hashes-allowed.txt
However, there are issues that can still cause complications.
Generally speaking, problems start when remote content is injected using innerHTML (or similar method of converting strings to DOM e.g. outerHTML, insertAdjacentHTML, parseFromString, createContextualFragment, JQuery append/prepend/appendTo/html/before/after/insertBefore/insertAfter)
Inserting un-sanitized remote content is a security problem. For example, JavaScript can be passed as href/src/on** etc.
Addon should ensure such strings are not-executable (and not javascript:somefunction).
There are other security concerns with data itself when it is not even DOM.
It all depends on the situation. Personally, I have found that it is often possible to insert remote data safely without the need for external sanitizing library.