That perspective is somewhat dated to be blunt. A modern Java deployment would be identical security wise to node, with one app per Java process running with the minimum of privileges.
I have no worries, because I make sure to sacrifice chickens to my Tomcat apps each day. Although going into the cloud is making it trickier, chickens generally can't fly that high.
It is unsafe to mix trusted and untrusted code in the same process. This is why Chrome runs the renderer in a separate process. My concern is that using Java to execute JS increases the probability they are doing this bad mixing. They could be doing it safely but it increases my suspicion.