In my experience many users will, and do, go out of their way to circumvent their own protection unless very aware of the consequences, and sometimes even then. If they really want to see that funny flash animation on a certain site, they will find a way to do it and then often forget to undo the changes they made there by leaving they selves vulnerable.
There are some aspects of Flash, Javascript, etc, that are safe, and do not reveal any information. There are other aspects that are unsafe. This gets back to the whole issue I raised earlier, in another thread. Why try to sell people on "OK, but you need to use a completely stripped down browser that can't display most modern sites at all because all scripting systems are disabled"? Why not use a "security manager" model, where the browser commands are verified by a separate security manager, configured by the user? Then Tor can just distribute a security manager file. This would require some sort of system for "I'm the browser, this is the file I just downloaded, tell me what I can safely execute". "I'm the javascript parser, this is what I've just parsed and written via document.write but not yet executed. Tell me what I can safely execute". "I'm the browser, this is the full document after fetching all the embedded references. I know I've asked you on each of those parts separately, now here's the whole shebang. Tell me what I can safely execute." Etc. The whole "Because some aspect of Flash can kill you, all of flash must be junked" approach won't work. That's like saying, "Because Java could contain an unsafe program, no Java can be used". Sun designed a security manager system into Java specifically to deal with that concern. If the default security manager isn't good enough -- if the default SM permits unproxied connections, for example -- then we need a new SM that does not permit unproxied connections, or forces them to become proxied without the code realizing it. Java does permit changing the SM, doesn't it? Why not implement one for the rest of the browsing experience?
