Invoke `handle_event` in a test as if I'm a malicious websocket hacker?

There is some discussion around this here.

You’re generally safe but even still it’s best to do these checks in the business domain (“context”) layer. There are libraries that facilitate this. My favourite is LetMe.