[emnudge]

Quick correction: it is not the same as eval. It does not have access to the current scope. It is technically a fair bit safer when trying to run code from a string.

It may have access to the window object, however, so if something important is there, if can probably mess with that.

[bawolff]

Its pretty hard to imagine a situation where full access to the global scope (including DOM) is fine as long as the attacker doesn't have access to the current function's scope. Performance difference, sure, but safety difference is pretty far fetched.