Afaik the creator was not a javascript front end expert.... it was vanilla js in page and a fun experiment. I don't think it was intended as a scam.
The creator quit supporting it after a bunch of security vulnerabilities. It's a shame, but this is voluntarism warts and all. https://twitter.com/super_testnet/status/1604973673836056576
Discussion
All solutions are temporary until we can keep our private keys truly secure instead of having to input them into clients.
More people should checkout NIP-49, encrypted private key import/export. So far the only client I know that implements this is the Gossip client by #[13] Worth checking it out.
It's fairly trivial to fix anigma: escape innerhtml and implement window.nostr, so that it doesn't need to store any private keys. I'm not sure why no one has done it, maybe I'll do it this weekend.
rogue code can still decrypt your dms if the plugin is set to auto-decrypt