As a cybersecurity guy you should know that JavaScript is by far not the entire attack vector in the frontend landscape: the DOM, HTML, HTTP, CSS, browser implementations, etc are a most complete picture. JavaScript itself has evolved and is evolving from its basic roots.
Historically yes because we use unsafe languages just to parse HTML, CSS, HTTP but intrinsically those do not require unsafe things. For JIT the situation is different and without JIT performance would be problematic.
That said, the alternative to web apps is native platforms or other VMs which have the exact same problem except with less capital allocated towards mitigating it.
Interesting results, but I am talking about the web as an application platform, not as the average users web browsing platform. I find it hard to imagine that users would accept e.g. something like Figma running without JIT, meaning that Figma would have no choice but to move native, thus running into the same problem. That said, for the average web user disabling the JIT by default may be reasonable.
