The “Executing XPath expressions is security-sensitive” is a very generic “don’t trust user data” warning, which is always a false positive on any literal xpath. It could further be reduced to only complain about paths where the contents of the xpath is derived from user controlled data, but not complaining on code like this is a start:
var appointments = data.selectNodes("/items/appt");
edit: I guess SONARJAVA-3028 but for JavaScript as well.