Bryan,
XSS attacks are already possible by those who can edit the JS files by using the document.write('<script src=" trick.
That is: a) Available to sysops of particular project only b) Monitored, is in watchlists and under revision control. c) General codebase is constantly monitored for XSS problems.
Again, this already happens.
How? When?
BR,