In this case, I would argue that a transparent, sandboxed programming language like javascript is probably one of the safer pieces of "software" someone can download. Especially because browsers basically treat all javascript like it could be malicious.
Why would I paste a secret key into software that my browser explicitly treats as potentially malicious? I still argue that trusting a verifiable author/distributor is safer than trusting an arbitrary website, e.g. trusting gpg is safer than trusting xxx.yyy.com/zzz.js regardless of who you think wrote zzz.js, simply because it's easier to get that wrong in some way than it is to accidentally install an evil version of gpg, especially if you use an open source package manager that makes use of PKI, or run it from TAILS, etc. I am also likely to trust javascript crypto served from https://www.gnupg.org/ more than from any other URL, for instance.
In general I agree wholeheartedly with your comment about sandboxing being important. The problem is that sandboxing does not imply trusting. I think smartphone apps are probably better sandboxed, but I don't necessarily trust the distribution infrastructure (app stores) not to push down evil updates, etc. Sideloading a trusted app by a trusted author is probably a more realistic goal for OpenPGP for the masses.
I agree with what you said, I just want to clarify something:
My original statements were made in a very specific context: here are some ways you can attempt to verify this specific piece of software*. At no point did I suggest that any of those methods could be used universally, or that they were foolproof. I grew weary of ChristianKI continually implying this, so I stopped responding to him.
So with that said: yes, using this program does require trusting me, the author. If you don't trust me, I have suggested some ways you could verify for yourself. If you aren't able to or it's too much trouble, that's fine; don't use it. As mentioned before, I never meant this to be "PGP for the masses".
Information security is a pretty big passion of mine; I don't think someone needs to have "something to hide" in order to make use of digital signing, encryption, etc. Another passion of mine is making things easier for other people to do. I've written a couple of tools that I think can be useful for the LW crowd.
Online PGP Signature: This is an online javascript-based tool which allows you to sign messages using your PGP private key. I love the idea of PGP-signed messages (I remember someone under the pseudonym "Professor Quirrell" handing out PGP-verified Quirrell points a few years back). The problem is, I had yet to find an easy way to do this that didn't involve downloading command-line based software. So I wrote this tool that uses open-sourced, javascript-based PGP libraries to let you easily sign messages in your browser.
The whole thing is client-side so your private key is never seen by me, but be smart about security. If you don't trust me, that's fine, just don't use the tool. But also remember that you could have a virus, your computer could be monitored, someone could be watching over your shoulder, etc. so please be smart about your security. But hopefully this can be helpful.
Decoy: an iPhone App: I wrote this after "The Fappening", where I was basically appalled at the terrible security practices that pretty much everyone uses when sending pictures back and forth. Decoy uses a combination of steganography and AES encryption to let you send images back and forth without having to sign up for an account or use some outside service that can be hacked or otherwise compromised.
You take the original picture, then you come up with a passphrase, then you take a "decoy" picture. The original picture is converted to base64 image data, which is then AES-encrypted using your passphrase. The resulting cipher text is then encoded into the pixels of the "decoy" picture, which is what gets saved on your phone and sent out. The "decoy" pictures are indistinguishable from any other picture on your or your recipients' camera rolls, and unless you have the passphrase, then the original image is thoroughly inaccessible.
If your phone is lost, hacked, stolen, or (more benignly) someone happens to be looking through pictures on your phone, all anyone will see are the "decoy" pictures. Without the password, those pictures are worthless. Although the app is primarily branded for, *ahem*, "personal use", there are plenty of other ways to use it. For example, my wife and I use it for things like sending pictures of sensitive physical documents like credit cards, birth certificates, social security cards, etc.
(full disclosure: although Decoy is free, it is ad-supported so I do financially benefit from people using the app. But on the bright side I'm an avowed rationalist and if I make a quajillion dollars with this app I will spend the vast majority of it on LW-friendly causes!)