The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used. You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time.
Could you make your Javascript work with something like the
yubikey?
So far, all of the large-scale attacks against bitcoin sites were not aimed at individual accounts. They were aimed at the central wallet for the site. Yubikeys will make it hard for someone to clean out your account by stealing your password. However, they won't protect you against a site-wide break that renders the site insolvent to pay back your account balance.
StrongCoin, however, does not have a site-wide wallet, and keeps each account key encrypted with a separate password. An attacker that manages to steal the account database will need to break the individual passwords. Unless an attacker is targeting specific accounts with large balances known to be hosted by StrongCoin, the compute cycles will be better spent mining for bitcoins.
That said, the security does heavily depend on users picking good passwords, and remembering them. The site's address generator does have a calculator that gives an estimated cracking time, so hopefully it will foster good practices.
Details about the encoding scheme are
here, along with a (small) password cracking challenge.