I take it that this means that, if you’re concerned with spyware and malware, you don’t want to play local executables either, unless they’re sandboxed files that run in interpreters. In fact, in at least one case that I can think of a homebrewed downloadable game had some malware issues.
Downloading the HTML + JS so the game can run in your browser wouldn’t address this issue, would it? The JS could still run scripts you might not want. I don’t really understand the technical aspects of it (for instance, I don’t really know whether I used “sandboxed” correctly in the previous paragraph).