Well, for one thing, the problem of “code delivered from a site you would normally trust but that is now malicious” is the same as the problem of “being mistaken about what sites to trust (and so accidentally trusting a site that was malicious all along)”.
As I understand your question, and as I understand the web and its technologies, the problem basically is that “if you run code (JavaScript) in your browser—code that is provided by arbitrary people on the internet—this is fundamentally a vulnerability”. And that’s true. There’s no solution to that basic fact other than “don’t run JavaScript”.
The matter really depends on how much you trust your browser vendor (Google, Apple, or Mozilla) to secure the browser against exploits that could harm/steal/pwn your computer or your data. If you trust them to a reasonable degree, then precautions short of “disable JavaScript entirely” suffice. If you really don’t trust them very much at all, then disable JavaScript (and possibly take even stricter measures to limit your exposure, such as running your browser in a VM, or some such thing; Richard Stallman’s browse-by-email workflow would be an extreme example of this).
Well, for one thing, the problem of “code delivered from a site you would normally trust but that is now malicious” is the same as the problem of “being mistaken about what sites to trust (and so accidentally trusting a site that was malicious all along)”.
As I understand your question, and as I understand the web and its technologies, the problem basically is that “if you run code (JavaScript) in your browser—code that is provided by arbitrary people on the internet—this is fundamentally a vulnerability”. And that’s true. There’s no solution to that basic fact other than “don’t run JavaScript”.
The matter really depends on how much you trust your browser vendor (Google, Apple, or Mozilla) to secure the browser against exploits that could harm/steal/pwn your computer or your data. If you trust them to a reasonable degree, then precautions short of “disable JavaScript entirely” suffice. If you really don’t trust them very much at all, then disable JavaScript (and possibly take even stricter measures to limit your exposure, such as running your browser in a VM, or some such thing; Richard Stallman’s browse-by-email workflow would be an extreme example of this).