Your active key is required to play, but do not worry, it never leaves your browser.
This requires complete trust in the javascript being delivered from your server at all times. If your server is compromised at any point, the keys might leave the browser. From a trust perspective, this is sort of a null claim, because it is the same amount of trust as just sending the active key to the server.
It's hosted on github pages
Ok, fine, replace "if your server" with "if your workstation or github credentials or email account" and my point stands. :)
Right. To avoid this risk it's recommended to check the code 2 sentences later. A few regulars doing that and any malicious change can be spotted very quickly.
From that perspective it's more secure than using steemit.com, where your point stands as well, but it's harder to check the code that's delivered by your servers. More comparable with the cli_wallet, with an additional benefit of easier to read code. The most secure way to send coins so to say!