I don't know how the JavaScript proposal does it, but you can certainly create generic clone structures that are safe for untrusted input.

I want to learn, can you elaborate?

Java's deserialization will instantiate any classes that the data tells it to, which in practice leads to myriad vulnerabilities as many classes have constructors that can be used to write files, execute shell commands, etc. Many programmers didn't realize this, and bad things happened.

This is a classic example: https://www.cvedetails.com/cve/CVE-2015-7501/

(Many more can be found under the CWE-502 "Deserialization of Untrusted Data" category)