Well, in cases where you can't trust the client, that means you (the server) should not allow any client side code that isn't heavily checked and double-checked. GP is concerned about client side security.
Of course, as it stands now, there is no trivial way to prevent what RMS wants; user-specified client-side code. But if a third party is able to specify code for the user (using phishing techniques, etc;), therein lies the security hole.
Personally, I'm all for an easier way to use your custom drop-in replacements for web page code. It would be like Grease Monkey, and people would stop complaining whenever Popular Social Website changes its interface yet again. Plus, it would make sense to use some local cache for Popular Social Website's code (which would be periodically updated, of course).