yeah, it's understandable to be skeptical, and lots of the code is vulnerable, when it runs on a web browser, 100x more likely to be vulnerable from XXS

it's just a part of a general trend in software these days... security is subordinate to functionality, and what security they do implement is usually excessive and heavy handed and doesn't actually work