I'm sure that's the intended state of affairs. But there's a difference -- at once psychological and technical -- between "trusting someone else's application code" and "letting their developers have remote debugging access to your machine."
They don't have any remote debugging access they wouldn't have... the JS still runs in your browser, sandboxed to the window with their website in it... it can't do anything else that any JS could do... it may be a psychological difference, but it's not a technical one...
I've considered a number of times about actually shipping dom-diffs so that support could see what a user is seeing. This technology has been around for a while.
