And no plug-in to download because everybody's browser has a highly-performant Javascript engine.

i don't feel having like extra virtual dom over the virtual dom of react, will make things highly-performant, god we need this doesn't happen. i wish to see the 0,1 fps react crud app, that will come from this.

This is the plugin

Says who?

As an SWE who used to work on Internet Explorer (yeah, laugh), I know I can't say that JS is somehow impervious to possible attacks and privilege-escalation out of the browser-imposed sandbox (which can and does happen), but when one compares even the basic nature of Flash's plugin/ActiveX control vs modern browser JS engines, the threat-model and browser-vendors' mitigation strategy, it means I have easily 100x more trust in in-browser JS as a far, far "safe"-er environment than Flash.