The funny thing is, nobody had a reason to trust Privnote in the first place, with or without JavaScript. It's a clearnet web site. LE can identify the operators. LE knows that shit tons of sensitive info is posted there. LE could compel the operators to change the JavaScript to transmit messages back to the server in plaintext (along with serving an FH-style exploit to you, in case you are accessing Privnote over Tor). Isn't it enough that you have to trust DPR with your bitcoins and the vendor with your address? Why unnecessarily increase your attack surface with third parties that require your trust, and don't deserve it?