JSON and XML are merely different data structures and so considered neutral in that case [0]. The parsers for either have had serious vuln classes sometimes causing RCE and many of the same sec bugs that browsers run into [1]. So the question should be which is the safest parser avaialble for either of these?
Using python standard libs to parse XML or JSON (Pickle) not a good idea [2].
A modern and minimalist JSON parser is YAJL used in libvirt. Available in Debian [3]. My recommendation is to use YAJL in addition to having TB-updater connect via an onion address or over pinned TPO cert. To contact the author about further info related to security implementations contact: #yajl channel on Freenode or subscribe to Yajl mailing list by emailing yajl@librelist.com (librelist.com) [4]
Assuming we don’t want any heavy duty parsing and something familiar then using grep on fetched JSON data is a potential solution [5]. Combined with onion security for communication is again the way to go IMO.
[0] java - Which is more secured and why JSON or XML - Stack Overflow
[1] XML vs. JSON: A Security Perspective | by David Petty | Independent Security Evaluators
[2] 10 common security gotchas in Python and how to avoid them | HackerNoon
[3] Debian -- Details of package yajl-tools in stretch
Debian -- Details of package libyajl2 in stretch
[4] yajl
[5] bash - Parsing JSON with Unix tools - Stack Overflow