[negativity]

In that inexperienced users are not well-informed of the option to disallow it, and might not understand that indiscriminate, promiscuous execution of JavaScript as a default behavior can be hazardous. ...at least as hazardous as connecting to unencrypted Wi-Fi.

To whit: http://beefproject.com/

New users aren't even readily informed that JavaScript is a thing.

[ghostdiver]

Didn't ever hear of pure JS browser exploit, only a mix of Flash or Java.

[aclevernickname]

I have an omegle exploit that exists entirely in javascript. it was written for Chrome (Windows/Mac specifically), but still 100% javascript. I'd be happy to email a copy of it (in .zip form) to anyone interested.

Also, the recent Tor Browser Bundle exploit (RIP Tormail) was javascript-based.