My takeaway is that it's pretty much impossible to let your users simultaneously (a) create their own personal pages (b) on a site where other users have identities managed by cookies.
This was one of the reasons blogspot could let users have arbitrary JS: it's a totally separate domain, so there's nothing to worry about. ...or is there? [cue ominous music] (To tell the truth, I have no confidence either way.)
* David always trips me out because he's like 12 years old and sorta looks like a big kid but comes across as totally competent in text.