As long as your handler always opens up a dialog for sending bitcoins I think this is safe. Javascript cannot abuse mailto: torrent: and all the other gazillion registered protocol handlers, so why the bitcoin one? And most browsers open some "do you want to start..." dialog anyway. So I think, go ahead, register the handler. Dragging something around, while nice, is not a solution.
Well the Bitcoin one has to do with payments. It is absolutely security critical. There is much more incentive to abuse it, than say, sending a mail or downloading a torrent... which is a fun spoof but not much more.
BTW, I follow your excellent development on bitcoin-qt. I constantly pull your changes and compile my client myself. But the average user cannot. Hence my point in making bitcoin-qt the official client.
I've asked for assistance in building binaries multiple times. It is quite involved, and I insist on doing it in a secure way. Multiple people would have to build it in an exactly equal build environment, then give the SHA hash of the .exe (and dependent DLLs). After, that it could be packaged and distributed using a https:// site.
But how to motivate people to help? I have tried posting topics in Project Dev or asking in my own thread, and hardly any replies. I hope you understand that I don't go developing and handing out bounties at the same time, there is a limit to the amount of energy I'm going to invest in this (Though I did donate to the Android client dev).