A "very short spec sheet" is an invitation for people to start assuming things about how it will work. In the absence of details, speculation is inevitable.
That's fair, though if you do read said spec sheet, there's a few things you can infer. For one, they give a list of whitelisted AMP component, and none of them allow for arbitrary JS, so that's out.
Furthermore, at the bottom, they specify:
> All fetchable attributes like src and href must be static
and
> All network requests must be proxy-able to ensure that user anonymity is preserved
This implies that anonymity is big focus (so your information will not be leaked), and that things will be fairly static.
Almost all the "speculation" happening goes contrary to that, leading me to believe that no one has actually taken the time to read up, and are just blindly expressing their existing preconceptions and hatred about AMP.
Is there any proof that it'll be able to run arbitrary JS? Or that it'll be mutable? Or that there will be no way to turn it off?