The ECMAScript spec doesn't include details about its environment. You can run it in varying environments, each of which has different security criteria. For example, you can run a fully isolated JS VM that has no interactions with the real world, which is certainly quite safe. Node has full access to pretty much all the user's system resources, while the browser is a bit more sandboxed and restricted in what it can access.