diff --git a/package.json b/package.json
index 1c4790ffbad048..34b8623be21495 100644
--- a/package.json
+++ b/package.json
@@ -74,6 +74,7 @@
     "native-keymap": "2.2.1",
     "native-watchdog": "1.3.0",
     "node-pty": "0.10.0-beta19",
+    "safevalues": "^0.1.0",
     "spdlog": "^0.11.1",
     "sudo-prompt": "9.1.1",
     "tas-client-umd": "0.1.2",
diff --git a/src/tsec.exemptions.json b/src/tsec.exemptions.json
index dc1e805868f0e4..bbbe4c8f4609c3 100644
--- a/src/tsec.exemptions.json
+++ b/src/tsec.exemptions.json
@@ -1,5 +1,31 @@
 {
 	"ban-trustedtypes-createpolicy": [
-		"**/*.ts"
+		"**/vs/base/browser/markdownRenderer.ts",
+		"**/vs/base/worker/defaultWorkerFactory.ts",
+		"**/vs/base/worker/workerMain.ts",
+		"**/vs/editor/browser/core/markdownRenderer.ts",
+		"**/vs/editor/browser/view/domLineBreaksComputer.ts",
+		"**/vs/editor/browser/view/viewLayer.ts",
+		"**/vs/editor/browser/widget/diffEditorWidget.ts",
+		"**/vs/editor/standalone/browser/colorizer.ts",
+		"**/vs/workbench/api/worker/extHostExtensionService.ts",
+		"**/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts",
+		"**/vs/workbench/contrib/notebook/browser/view/renderers/webviewPreloads.ts",
+		"**/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts",
+		"**/vs/workbench/services/extensions/worker/extensionHostWorkerMain.ts"
+	],
+	"ban-worker-calls": [
+		"**/vs/base/worker/defaultWorkerFactory.ts",
+		"**/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts",
+		"**/vs/workbench/services/extensions/worker/extensionHostWorker.ts",
+		"**/vs/workbench/services/extensions/worker/polyfillNestedWorker.ts"
+	],
+	"ban-function-calls": [
+		"**/vs/workbench/api/worker/extHostExtensionService.ts",
+		"**/vs/workbench/contrib/notebook/browser/view/renderers/webviewPreloads.ts",
+		"**/vs/workbench/services/keybinding/test/electron-browser/keyboardMapperTestUtils.ts"
+	],
+	"ban-eval-calls": [
+		"**/vs/workbench/api/worker/extHostExtensionService.ts"
 	]
 }
diff --git a/src/vs/base/browser/dom.ts b/src/vs/base/browser/dom.ts
index 0e21c5087d8e29..d3a2957ee25591 100644
--- a/src/vs/base/browser/dom.ts
+++ b/src/vs/base/browser/dom.ts
@@ -17,6 +17,8 @@ import { FileAccess, RemoteAuthorities } from 'vs/base/common/network';
 import { BrowserFeatures } from 'vs/base/browser/canIUse';
 import { insane, InsaneOptions } from 'vs/base/common/insane/insane';
 import { KeyCode } from 'vs/base/common/keyCodes';
+import { legacyConversionToTrustedHTML } from 'safevalues/unsafe/legacy';
+import { unwrapTrustedHTML } from 'safevalues';
 
 export function clearNode(node: HTMLElement): void {
 	while (node.firstChild) {
@@ -1343,12 +1345,6 @@ function _extInsaneOptions(opts: InsaneOptions, allowedAttributesForAll: string[
 	return { ...opts, allowedAttributes };
 }
 
-const _ttpSafeInnerHtml = window.trustedTypes?.createPolicy('safeInnerHtml', {
-	createHTML(value, options: InsaneOptions) {
-		return insane(value, options);
-	}
-});
-
 /**
  * Sanitizes the given `value` and reset the given `node` with it.
  */
@@ -1368,8 +1364,8 @@ export function safeInnerHtml(node: HTMLElement, value: string): void {
 		allowedSchemes: ['http', 'https', 'command']
 	}, ['class', 'id', 'role', 'tabindex']);
 
-	const html = _ttpSafeInnerHtml?.createHTML(value, options) ?? insane(value, options);
-	node.innerHTML = html as string;
+	const html = legacyConversionToTrustedHTML(insane(value, options));
+	node.innerHTML = unwrapTrustedHTML(html);
 }
 
 /**
diff --git a/yarn.lock b/yarn.lock
index 02c0f52cafb4ab..954074a1a17bda 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8379,6 +8379,11 @@ safe-regex@^1.1.0:
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
   integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
 
+safevalues@^0.1.0:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/safevalues/-/safevalues-0.1.0.tgz#44f0ad0e18b31e1d45acc9dbb0b5eba4e2e5b753"
+  integrity sha512-KLidvJHTZLxuhe/l7Mn4F0v3J6eElilMTnyainlRFwYvjD8qNzkO40fwr6VSf2Bq7HBLf+dTaS6jI+qKTv45fA==
+
 samsam@1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.2.tgz#bec11fdc83a9fda063401210e40176c3024d1567"