Capability + intent is what counts in this case. They intend to deploy countermeasures targeting a minuscule percentage of people, but every user will probably feel the consequences. This, plus the fact that they are willing to serve JS from third parties, is a dangerous mix. It's not what you would expect from a music player app.