The well-known timing attack which allows you to completely deanonymize the user if you control the guard and the server (or server's ISP) does not require JS. For example, if the NSA wanted to know everyone who visits antiwar.com regularly, they'd observe antiwar.com's ISP and set up Tor non-exit relays such that you have a 5-10% chance of choosing one of the NSA's relays as a guard every time you start Tor. Over time they'd build a complete list of all IPs for Tor users who visit antiwar.com. It's almost trivial. I'd be surprised if the NSA is not doing this already, possibly for large sections of the entire Internet (especially centralized things like Cloudflare).

VPN/HTTP proxy: a little lock on a diary
Tor: A Master lock. (Note: look up lockpicking videos for Master locks.)

There is currently no anonymity technology which is secure in the way that Bitcoin is secure (against different attacks). Anonymity research is weak, and implementation is even worse. For example, there's something from academia called Riffle which fixes some of Tor's many problems, but nobody's bothered implementing it in a usable form even years after it was published.