Personally, I know very few people who disable JavaScript in their browsers, simply because that would make even the simplest web-based applications useless. Many people use online email clients, e-banking systems, and other web-based applications, all of which have to use some dose of JavaScript for functioning properly and offering a suitable post-web-1.0 user experience. That's a fact.
In 99.9% of all web applications, the data resides on the server, which means that the server-side code must ideally be properly secured against all types of attacks (SQL injection, XSS, and more at
OWASP). In the case of XSS attacks, the goal is not always to hack the data (which we can properly secure 100%), but often to sort of hack the way information is displayed on the screen. When a web application is displayed within a frame/iframe of another malevolent web application, there is little one can do to prevent that, except using the newcoming antiphishing tools provided by browser vendors et al.
Using new technologies automatically implies taking more risks. At the end of the day, people committing to use new technologies or new arangements of old technologies (like Ajax) are implicitely taking those risks and must do so in all awareness. Due to the openness of the web (which is its greatest strength as well as its greatest threat), the only thing we can really rely on is the user awareness of the risks they are taking. User must be made aware of the risks they are taking and they must be given the option of going down that path or not. As JavaScript developers and server-side developers, all you can really do is to secure your code as much as you can and inform your user base about the potential risks.
[ July 25, 2007: Message edited by: Valentin Crettaz ]