Firefox Sync used to be protected with high-entropy keys; now it's protected by a (likely) low-entropy password. Moreover, even if one uses a high-entropy character sequence as a password, Mozilla are able to target one with malicious JavaScript and snarf that password at will.