By "malleability", we mean that code loaded in the future can monkey patch away the random number generator or AES block cipher function. I'm pretty sure that isn't debatable.
You keep saying that you mitigate this problem by controlling your pages 100%. Congratulations, you have gone farther than many of the JS crypto apps I've looked at; many of those bug their pages with Google Analytics, or with Typekit.
But that doesn't mitigate the problem that your users can't police you. They are relying entirely on your promise not to deploy code that will surreptitiously defeat the security of AES (or whatever ciphers you're using). And because JS is malleable, it is untenably hard even for an expert to attempt to validate your code by hand.
You keep saying that you mitigate this problem by controlling your pages 100%. Congratulations, you have gone farther than many of the JS crypto apps I've looked at; many of those bug their pages with Google Analytics, or with Typekit.
But that doesn't mitigate the problem that your users can't police you. They are relying entirely on your promise not to deploy code that will surreptitiously defeat the security of AES (or whatever ciphers you're using). And because JS is malleable, it is untenably hard even for an expert to attempt to validate your code by hand.