The suggestion that you should forbid access to the prefilled password from JavaScript just doesn't work and will break many websites. If the form is submitted in the regular way, it will typically work, but any sort of background logging in or AJAX form submission will then fail.
And what's so special about what you've saved? XSS is a security hole and so once a script is injected it doesn't really matter whether it's the prefilled password or a password that gets typed in - it's just perhaps slightly more likely to be there. (But then, I wouldn't think people are in the habit of leaving a filled in login form as it is - I at least would be likely to compulsively submit it and log in.)
And what's so special about what you've saved? XSS is a security hole and so once a script is injected it doesn't really matter whether it's the prefilled password or a password that gets typed in - it's just perhaps slightly more likely to be there. (But then, I wouldn't think people are in the habit of leaving a filled in login form as it is - I at least would be likely to compulsively submit it and log in.)