Privacy and security concerns serve to make client-side JavaScript a complex matter.
By default, the browser user is safe, and the client-side JavaScript script writer is not. The script writer's activity is restricted by security hobbles, and the scripts are exposed to the user's whim. For JavaScript outside the browser such as server-side JavaScript and standalone JavaScript in CGI programs, the script writer has the same protections as any general programming language.
Half-hearted attempts at security such as code shrouding may keep the ignorant and lazy at bay, but ultimately provide no security at all. In order to be properly secure, a complete solution involving digital certificates is required. This is not usually free and requires extra organization and tools. Users may need to be educated as well.
Cookies are a mechanism that resides in the gray area between secure and insecure. Useful for maintaining data in the browser client and for tracking browser users, they have some light implications on security. Their behavior in browsers is unusual compared with other browser features, and can only be controlled from the browser via JavaScript.