There is no misunderstanding, you can't sandbox plain HTML or Javascript... There is no security issues! Accessing the BC API with Javascript (WITH NO MIDDLE MAN SERVER!) there is no issue, if they make a REST API that would be even better, but accessing the SOAP API via Javascript is not a security problem, it's 100% on BC's platform, no external resources. I'll keep doing what I am doing and you keep doing what your doing.
To answer the original posters question, it is possible to do but no one has created one. If someone wants it made they can hire me to make it for them and I'll make it without a problem or security issue.
