Hi astrorob,
Thanks for the detailed write-up, and especially for narrowing it down to the security settings. That was the key clue. This is a genuine false positive on our side, not anything wrong with your setup or those plugins.
Here's what happened. 2.0.1 added a render-time security check that re-scans the final HTML of pages that process Twig in their content, to catch certain script-injection tricks. The problem is that the scanner can't tell a legitimate inline <svg> from a malicious one, and inline SVG is full of the exact things it's trained to be suspicious of (the xmlns attribute, <title> and <style> elements inside the icon, and so on). So any page that processed content Twig and rendered an inline SVG got blanked. That's why your Tabler icons and the GitHub-style alerts both broke: the alerts render an inline SVG status icon too.
You've got it working, but I'd suggest a cleaner workaround than disabling "Filter on Events" and editing the dangerous tags list, since those weaken protection across your whole site. Instead, turn off just the new render-time scan in user/config/security.yaml:
twig_content:
xss_scan_output: false
That leaves all the other XSS protections in place and only disables the over-eager output re-scan.
The proper fix is already done and lands in 2.0.2: the scan now skips legitimate inline SVG and MathML while still catching injected scripts around them, so icons and alerts render normally with no config changes needed. Once you're on 2.0.2 you can revert the workaround above.
Thanks again for the report.
— Andy