as for point #2, if the source code is run on a clean and offline computer (like a live Linux from a DVD) then i don't see how this could even be an issue.
There could be bugs in the implementation of some algorithms, for example regarding PRNG's.
Or they might be simply using outdated libraries, which even could already contain known vulnerability, decreasing the entropy used to generate the private key(s).
The javascript aspect isn't really influenced by where it is run (online / offline pc), but by the code and libraries itself.
A faulty implementation could result in easily crackable private keys. And you have no proper and comfortable way of checking the code / libraries.
A better way would be to simply create a wallet (e.g. core or electrum) on an offline computer with a live distro and use that private key for a paper wallet.