It's not js that's the issue, it's the fact that the server can change the code at any time without the user being notified. So mega can backdoor its own encryption code at any time to retrieve your keys.
It's broken by design, it's not a flaw of js per se.
Your mobile & desktop OSes etc all have a silent automatic update mechanism. Installed programs can start services silently and download executable code in the background and use it as they want. And governments take advantage of these facts regularly.
That's why they created the browser extension. It might even come signed. At least you can read the source in plain text, unlike a compiled binary.
Google play services is one example. Any app can download executable code in the background without you realizing what is happening. Apple has some mechanisms of their own coded in if necessary.
