This is not a theoretical concern; this has happened with a Bitcoin online wallet which stole a specific targeted user's money by serving malicious JS to that user only. (I believe this was mentioned in Bitcoin Magazine a while back.)
.bit improves upon a single point of failure for the internet: DNS-level censorship. There are ambitions to move beyond that, but we have to get to that goal first. This hybrid between DNS forwarding and social networking darknet is a very real way to make .bit relavent in a manner that is as secure as any financial institution. Given the level of scrutiny, it would be at least as secure as the updates we get from the namecoin development servers or Github or Mozilla
Blockchains are distributed trust based crypto. Whether it's by consensus, percentage votes, or darknets, you must rely on other sources for that information.Web of trust is also very different from a Namamoto blockchain in terms of threat model.
Sorry if this is scattered, very late
That said, why not use a downloadable JS file? It could be distributed as a browser addon with minimal extra effort, and that way it's auditable.