The unencrypted private keys never leave your computer - all computations involving private keys are done using JavaScript on you computer instead of on the server.
You can generate your own pubic/private key pairs to your hearts content.
Already flawed, pack up and go home.
The Javascript library used to encrypt the keys in StrongCoin is gibberish AES.
Implementing AES means producing the precise ciphertext that the standard mandates for a given plaintext and key; we are talking about exact values, down to the last bit, so the language used to code the algorthm is irrelevant.
The main argument against using Javascript for encryption is that the server could be hacked and the JavaScript changed.
Firstly, StrongCoin is deployed to Heroku, you can read their security policy
http://policy.heroku.com/security.
Secondly, I will be shortly implementing a remote service to check any changes to the delivered JavaScript. I can then use PingDom to send me an SMS if the checks fail. That's a check every minute.
StrongCoin is probably the least risky way to store and spend Bitcoins.
