> An attacker will always be able to use an older browser version that does not have the built-in feature.
You do not purify DOM for the attackers' browser, they can just open the dev console and execute arbitrary JS anyway, you purify it so that user-input that one renders is also safe for others users to see without allowing attacker controlled scripts to be executed or DOM elements that leak user info on load to be inserted.
And you can always simply start to show a banner that tells "contnet blocked, upgrade your browser" in a few years, once a big enough majority of your target user base upgraded to a browser that supports it.
You do not purify DOM for the attackers' browser, they can just open the dev console and execute arbitrary JS anyway, you purify it so that user-input that one renders is also safe for others users to see without allowing attacker controlled scripts to be executed or DOM elements that leak user info on load to be inserted.
And you can always simply start to show a banner that tells "contnet blocked, upgrade your browser" in a few years, once a big enough majority of your target user base upgraded to a browser that supports it.