Me too. I am every day more appalled by the lack of security of browsers. That being said, logically, if you also have javascript disabled, I presume click-to-play should be secure.