> you often need to validate your inputs, for example using something like Zod for TypeScript. And then it's not a static guarantee anymore; it's a runtime error.
True, but validating at the boundaries and having a safe core is much better than having the unsafe portion everywhere imo.
Most languages have a way to represent a blob of bytes that you don’t care about the internal shape or meaning of. The point of parsing is to validate the stuff that you want to use. To use the Zod example from up-thread, you can use z.unknown() or use z.looseObject() if you care about some keys but not others (while wanting to propagate the whole object).
It depends on the system. Some servers just don't do very much. If a server validates the input and then just sends it on without doing any calculations, there's very little to go wrong that static analysis can warn you about.
And then the next server in line has to validate the data again.