The old Firefox sync protocol used secure keys to encrypt user data; the new protocol uses one's Firefox account password to encrypt it. A memorable password is a low-entropy password, which means it is an insecure encryption key.
Mozilla's protocol purports not to reveal passwords to Mozilla itself, but the security of the system rests on Javascript files delivered from … Mozilla. They can, if they wish, target a user and serve him suborned Javascript which send the plaintext password back. Unlike a tampered build of Firefox itself, which might actually be noticed, this could be a one-shot attack.
Worse, not just Mozilla as an organisation can do this: it can be compelled to do so on behalf of any government which has the power to compel it (or those employees capable of targeting someone).
