In that inexperienced users are not well-informed of the option to disallow it, and might not understand that indiscriminate, promiscuous execution of JavaScript as a default behavior can be hazardous. ...at least as hazardous as connecting to unencrypted Wi-Fi.
I have an omegle exploit that exists entirely in javascript. it was written for Chrome (Windows/Mac specifically), but still 100% javascript. I'd be happy to email a copy of it (in .zip form) to anyone interested.
Also, the recent Tor Browser Bundle exploit (RIP Tormail) was javascript-based.
To whit: http://beefproject.com/
New users aren't even readily informed that JavaScript is a thing.