Just like here <iron-ajax> is vulnerable as well, but actually the core issue is that template with script elements will be created by document.createElement, making it a strict-dynamic bypass.
No idea how applicable that one is in real Polymer apps, might be bogus.