POC
Create an item with text <img src="doesntexist" onerror="alert('pwned')">
Impact, severity
The impact is not big because all the info is intended to be shared between chat members anyway. Currently none of the existing webxdc apps are resistant to malicious chat members (see "XDC-06" in https://delta.chat/en/2023-05-22-webxdc-security).
Also
The app seems to be keen on using innerHTML:
element.innerHTML = `<input class="AppListItemToggle" type="checkbox" onclick="AppBehaviour.ControlToggle(${ index });" ${ item.done ? 'checked' : '' } /> <span class="AppListItemName" onclick="AppBehaviour.InterfaceEdit(${ index });">${ item.text }</span>`;
innerHTML is also used in webxdc.js, which can be found in a lot of webxdc example apps, but I don't know if it's exploitable there.