The problem with privnote is that there's no guarantee that the javascript sent from the website won't change tomorrow. Or tonight. Or 30 seconds from now.The circumstance is basically that you're downloading a program that does the encryption for you on-the-fly from the web site, and even though you can look at the program one day and know that the javascript is really safe... you can't trust that it'll be the same 5 minutes from then let alone next week.The gpg program doesn't change unless you change it, presumably. It's stored on your computer. That's why it's safer: it can't just randomly mutate into an insecure, broken encryption scheme without warning.