The whole point of this is to stop attackers who've managed to break out of the JavaScript sandbox. It's an extra layer of protection. If you're going to assume that an attacker is restricted to what JavaScript is meant to be able to do then the whole exercise is pretty much pointless; this is also a bad assumption.