JavaScript itself is quite safe, more so if it's running isolated like in a browser. Trusting your data to a piece of JavaScript code sent by a remote server, though, is only as safe as the server.
The "safety" being discussed here isn't system integrity, but rather cryptographic side channel safety, which is very much an open question in Javascript.
it's not so "isolated" - running Javascript in a page can be examined and potentially altered from a number of vectors (probably the simplest is extensions).
AFAIK there's no way of running JS in a browser that is "safe" in the crypto sense.
