The runtime protections aren’t pointless. The interpreter makes it difficult to inspect the malicious code during execution, but it doesn’t circumvent any sandboxing of the browser.