Thank you, Eliot Kimber for your response:

These vulnerabilities are only an issue if you allow untrusted users to supply XML documents with DTDs.

My application will be open to the outer world, so there will be untrusted users. We do not use DTDs, but DTDs are just one vulnerability.

[...] pre-parse them before supplying them to BaseX,

My solution is to simply not use DTD-aware parsing, [...]

I am using the internal parser with the DTD option set to false, but this is still vulnerable to the one billion laughs attack.

My next action will be to try to install my own parser into BaseX, which will be an interesting exercise...