Using any JS obfuscator (example:https://obfuscator.io/), a user can hide malicious code that may be unreadable to a user. A user might enable JS Extensions and out of curiosity run the project.
Yes, I agree with this. Maybe we should go so far as to change the message from "Error: JS Extensions are turned off," which suggests that the user made a mistake by not enabling JS, to "Do not enable JS in programs by users you don't know and trust."