Comment by grayhatter

You'd enumerate the resources the server sends, for a typical page load/request and demonstrate they're all valid js/css/html etc.

If a typical page can be shown to be prima facie safe to well formed parsers, without obvious shell code. It would require a response if there was additional evidence google was using in their determination.