The point is that if I send you an email, claiming to be your GP, telling you about "our new appointments system", and linking to something like:

http://yourgpwebsite.nhs.uk/some-vulnerable-page?xss=...

And my XSS replaces the page with something that looks like an appointments system, the average person has no way of knowing that they shouldn't trust this. There's certainly none of the usual indicators.