Prior to the freedom hosting JavaScript exploit, many did not see any security issue with JS.
In the case of Freedom Hosting, the sites servers were compromised and malicious code was located on the server itself.
So, the point is that it doesn't matter (in this sense) if JavaScript is enabled or not, if the servers intent is malicious it can be done with or without Javascript.
The reason a JavaScript exploit was used is because the nature of the target (Web Hosting, allows users control over some backend aspects, long time standing and community familiar with site design) meant that JS was an appropriate attack vector since it would be relatively unnoticed.
There is a host of malicious attack vectors a site can use, regardless of clearnet, .onion, or .i2p. If the server is malicious it can attack through nearly any type of extension type.
tldr; Even if JS is disabled, if the servers intentions are malicious there are multiple alternate attack vectors the server can use.
So what does this mean for the people (like me) who don't really know what you're talking about. What precautions should we take, if there's any we can? Obviously turn off JS, but are you saying there's no real way to tell...?