A JS based exploit that hijacks the X Window System Core Protocol running on your localhost to inject key presses into your X server or steal screenshots? I mean it's possible, but it seems quite far-fetched except maybe if someone specifically targets you.

The main impediment is that http request won't look anything like the x window requests, so the x server would likely reject it.

There are actually several (published and non-published) ways to exploit that type of configuration, here is one example:

https://samy.pl/slipstream/

If you're talking about the general concept of using js to spoof another protocol: that exploit involves middleboxes sniffing TCP connections at the packet level, rather than at connection/stream level. It certainly won't work for connections with a TCP server.

If you're talking about using that exploit to allow access to the victim's machine from the internet: that won't work because listening interface for the x11 server is localhost, not the LAN interface.