JavaScript crypto is mostly useless because the server can change the JavaScript at any time to steal your password unless your browser stops this somehow, which is very unusual.
Yes, this is correct. I thought BC.i "fixed" this by having a browser extension you could download though. Of course, that only complicates matters because then every time they update then you want to download a new browser extension.
One way you could run a Javascript-checker would be to have "audit servers" and every time you connect it would recommend verifying with at least two "audit servers" that the code you are running is the correct hash/version. From what I understand bitaddress.org and other js intended-to-be-run-offline wallets have this issue as well.
This is why I was kind of interested in what Sirius is working on. If he could make an independent audit server that random folks could run to verify each others sites, we'd have a "community of consensus" that we're all running code each of us has actually written.