I had to do a little digging into where it was pulling its crypto methods from and it looks like the have a bit of their own library, but it uses libsodium via javascript wrappers underneath:
So, I guess take that as you will. I haven't read much of the actual source yet.
edit: I sort of expected there would be a move to the server since it looks like they built their library to run on the server, even if it's running all of the libsodium methods in javascript but it's definitely pulling the browser version and running it all in the client: https://github.com/TankerHQ/sdk-js/blob/master/packages/file...
JavaScript itself is quite safe, more so if it's running isolated like in a browser. Trusting your data to a piece of JavaScript code sent by a remote server, though, is only as safe as the server.
The "safety" being discussed here isn't system integrity, but rather cryptographic side channel safety, which is very much an open question in Javascript.
it's not so "isolated" - running Javascript in a page can be examined and potentially altered from a number of vectors (probably the simplest is extensions).
AFAIK there's no way of running JS in a browser that is "safe" in the crypto sense.
https://github.com/TankerHQ/sdk-js/tree/master/packages/cryp...
https://github.com/jedisct1/libsodium.js
So, I guess take that as you will. I haven't read much of the actual source yet.
edit: I sort of expected there would be a move to the server since it looks like they built their library to run on the server, even if it's running all of the libsodium methods in javascript but it's definitely pulling the browser version and running it all in the client: https://github.com/TankerHQ/sdk-js/blob/master/packages/file...