User blog comment:Rappy 4187/Technical Update: August 31, 2015/@comment-5558012-20150901003221/@comment-24473195-20150901010012

The most import principle of security is to reduce the attack points. More than 50% of users never change their personal js, so leaving it open by default exposes users to unnecessary risk.

It is also easier for someone who compromises your account to put some javascript there then it is to go change the settings. Also, if wikia wanted they could always make it a requirement to have a second password or pin or some other requirement to enable js which would prevent any attacker from easily exploiting it.