This sounds similar to the default when you choose New Project > hello-webpage. By default it runs a lws server, where it serves all the files without further processing on the server.
If you added a package.json it would behave like the hello-express project, ie. instead of lws it would run npm install, npm start, which allows you to have separate files for dev, server and client.
There are several other project configurations possible too, and other web servers you can implement.
To learn about this, read Release v2.4.3 · webpack/webpack-dev-server · GitHub . In summary, the security issue is similar to CORS, where you give permissions for files served by webpack-dev-server to be on other webpages, specifically your glitch project web page. Needed because the glitch project is a container, a kind of proxy, so webpack would otherwise see it as another site when requests come in.
Ideally you wouldn’t use the devserver in glitch unless you’re debugging the project, because it will be slower and doesn’t do the minify steps.
Saying its “safe” or “secure” hides too many details.
Yes I get that! Command line parameters start out as nice and simple, then get complex quickly as little tweaks are added. Then they evolve into configuration files, keeping the parameters around as well, and it all looks a mess.
Part of the reason why the syntax is so fiddly, is that there is a command shell interpreting the command line before passing the parameters on to webpack.
Yet another edit …
The glitch project cdn is configured to serve the files freely, i.e. without checking which host, so in a sense it is less secure than webpack-dev-server … it just means any other website can have a link to the same assets and the browser won’t complain.