I guess OP thinks that vanity-eth.tk is a website with server side code.
If that were the case, the security of the private key would be compromised. But the website is client side only.
Or maybe the complaint is that non tech savvy users
might be getting confused and might be too trustful to other sites that do private key handling server side.
Or, y’know, they might serve everyone else client-side code, but serve one particular user server-side code. (Sort of like the hypothetical NSA Windows Update attack.)
This is why most crypto web-apps have a browser-extension form; you can check in your browser extension list to verify which version of the extension you have, and so know that it’s safe if someone you trust has already audited that version.
That doesn't help you much if you're starting out. You have to trust somebody and someone has to point you to something.
If it's a specific browser extension or a web page that you can run after you've cut the internet doesn't really make a difference. Note that vanity-eth.tk points out that you don't have to trust them and how to ensure that the private key stays private. But that needs some knowledge and that's certainly not for everybody.
>I guess OP thinks that vanity-eth.tk is a website with server side code.
I am fairly certain that very few people go and read the entire supposedly client-side JS code served by that site. It takes a very tiny bit of obfuscated JS to send 256 bit somewhere else.
[edit]: and when you generate a key pair that's going to potentially store multi kUSD in value, trusting anything that happens in a browser is - call me old fashioned - suicidal.
If that were the case, the security of the private key would be compromised. But the website is client side only.
Or maybe the complaint is that non tech savvy users might be getting confused and might be too trustful to other sites that do private key handling server side.