Re: Backend in JS!?
2. Yup, JS is a client based system at it's core, in server-side js it treats the server as the client in the functionality, HOWEVER this code is usually open to external input like an angular backend that can be logged into externally to the server. Some of these features are built-in parts of various frameworks, however they can be secured but usually it takes a fair bit of knowledge or reprogramming the framework if you are able to. There are also the other more general security issues with a lot of packages in that you can usually hit them with overflow attacks and other things like that (port hammering used to be a fun way to take something down that was using a JS based backend).
2.1 There is also the package problem which you ignored, in that NodeJS gives the packages a really large attack vector if they are compromised (as they have been previously), this allows a package to not only poison that package's code, but other parts of your project and was a huge issue only last year ongoing from 2018. This had the potential to affect not only client-side code (by way of redirection and injection of malicious code), but also as a way to insert multiple backdoors very efficiently onto a server.
2.2 Maybe talk to some security people man. The whitehats often use these vectors in reports as they are the most common used by hackers, well besides just talking someone into giving you access that is.
Your post-script makes no sense, you are saying you cannot target client-side frameworks because they run client-side (i'll assume the last part was meant to be server side). Yet a lot of these frameworks have ways of interacting with them FROM the client. Once you can give the framework reason to think you are running server-side (spoofing et.al.) you can then start to get the server-side code. If that is locked down you can start hitting it on insecurities in the most often used packages, trying for an overflow issue or something similar, the best would be if at some point db credentials are sent or received by the framework and you can catch them, pretty rare to come across that nowadays though.