An alert is raised for S2819 - Verify the origin of the received message - critical vulnerability, even if event.isTrusted is used. event.isTrusted is true only for events generated by the browser code, not generated by users, so it can’t come from an untrusted origin.
window.addEventListener("message", (event) => {
// FP reported here
if (event.isTrusted && event.data) {
}
}