Unless you are an expert cryptographer and write your own code from scratch, including the compiler and if you are really paranoid building your own hardware, you are always relying on third parties as your source for crypto code and the devices upon which it executes, and you have to trust they they have not inserted backdoors.
Can you expand on "trivial to alter" part? I get an impression there that many claim that altering JS you get is almost as easy as sniffing your traffic, I'd like to know more why it is so.
I threw together my own implementation of that from scratch when it hit hacker news a few months ago. Mine uses an arbitrary sed script, not sure what theirs does but I believe they've released their source now.. It took about 2 hours max.
Just one possible scenario is pretending to be the access point of your local coffee shop. Some of the coffee shop patrons will connect to your fake access point. Your system can subsequently run their traffic through a proxy that alters web pages to defeat any JS-based crypto, install malware, etc.
