Remember that if you pass through any data from an outside source, you're running their code on your browser when you thought you were just printing a document.
The security issues don't apply in all circumstances, of course, but if you feel like taking a shortcut to PDF generation and printing through a headless browser, you need to keep them in mind.
I highly recommend that anyone using a headless browser that may access outside sources employ something like this to run the headless browser in an external environment, in this case AWS Lambda: https://github.com/justengland/phantom-lambda-template
I used this approach for a project at a previous company and not only did it keep the potentially unsafe external code execution isolated from the rest of the stack, but it also proved to be fantastically scalable because of the ability to have AWS Lambda running many headless browsers in parallel compared to trying to scale something like this out on your own hardware.
Did you find any library that implements this? I mean, it should not be hard to implement, just slap together some templating language like thymeleaf or velocity and shell it to the headless browser. But still, it would be nice to have all this already implemented.
Last time I had to generate PDF's from scratch rather than inheriting a mess I built a custom heavily modified version of bootstrap (really ripped it apart) just for print use and fed it to wkhtmltopdf via snappy, it worked great and was very fast to develop since I could output to the browser as HTML to debug.
The security issues don't apply in all circumstances, of course, but if you feel like taking a shortcut to PDF generation and printing through a headless browser, you need to keep them in mind.