I have no worries, because I make sure to sacrifice chickens to my Tomcat apps each day. Although going into the cloud is making it trickier, chickens generally can't fly that high.
It is unsafe to mix trusted and untrusted code in the same process. This is why Chrome runs the renderer in a separate process. My concern is that using Java to execute JS increases the probability they are doing this bad mixing. They could be doing it safely but it increases my suspicion.