X-Frame-Options and cookie access rules would help protect against that a layer beneath Javascript. I get your point that ultimately any security breach can escalate to full-on compromise of all personal data. I still find it playing with fire to have completely unrelated sites having my name inside an iframe.