None of this makes or is a result of the language js (being) secure. Security is far and away predominantly a matter of how it's used, not a character of them language itself. "Safety" helps, but you can still easily write and package unsafe and insecure code in "safe" languages like rust, just as you can in C, JS, python, etc etc etc.