Intent might matter a little. I wouldn't be surprised if disabling JS for the purpose of bypassing an access control falls afoul of the CFAA but intentionally browsing the web without JS (e.g. via lynx) does not. If that were the case, they'd have to prove that you intentionally circumvented their access controls.