JavaScript applications presented as remote Web pages are convenient, sure.
But their convenience is also their greatest danger. You know how Windows
users can get infected with unauthorized malware just by visiting the wrong
Web pages? That's JavaScript; on a sane computing system, you can choose
explicitly what programs to install and run, but in the Web browser,
everything is installed and ran automatically, and that tends to include
programs that are malicious.
Then there's the problem of updates to the application being automatic: you
may have reviewed the source code of on version 5 minutes ago, but that
doesn't mean that's what you're getting now. On a sane computing system, you
keep the program as long as you consistently use it, and you can control how
often it is updated. In a Web browser, it's impossible to even tell if a
script is changed, so updates are not only automatic, but silent. If someone
wanted to attack you, it would be trivially easy for the Web server (or a
middle-man if it's over HTTP) to send you a malicious version of the program
(say, a version that contains spyware) for a brief period of time, then
revert to the non-malicious version a few minutes later.
And the real kicker is, you can't edit JavaScript programs distributed as a
part of a remote Web page. You can edit the program, sure, but you can't
actually use your modified version in place of whatever version the Web page
distributes/requests.
I've written about the problem of JavaScript embedded into Web pages in the
past:
https://onpon4.github.io/other/kill-js/
In short, executing JavaScript, at least the way all Web browsers do it
today, distributed with remote Web pages should never be done. It is
incompatible both with true liberty and with even modest security. The only
way it can be acceptable is if a Web browser is designed to give the user
full control over what scripts are executed, what those scripts do, and when
they are updated.
Of course, this all applies only to remote Web pages. If you have a local Web
page (stored entirely on your computer), then any JavaScript program on it is
perfectly fine. But that kind of defeats the whole purpose of basing a
program on manipulation of a Web page.