It's funny how when you mention NoScript in the presence of web "2.0" developers, most hate it, but if you mention it in the presence of sysadmins, network admins, security bods, general techies, they love it.
You know, having used the web extensively since JavaScript was called LiveScript, I've never had a security issue where blocking JavaScript would have helped. Plugins, yes, using IE and ActiveX a thousand times yes but the only problems JavaScript has caused have been annoyances like ads.
The reason is simple: JavaScript actually has a security model and browsers are one of the few bits of software with widely used update systems; plugins and most other applications are much easier targets (all of that juicy native code not coded defensively) and drift horribly out of date.
So, yes, put me firmly on the list of people who find NoScript 70% PR, 20% clunk UI, and 10% meaningful improvement. Something like Chrome's sandbox and click-to-play will actually make a noticeable benefit for the web because it'll actually be used - and even that's somewhat minor since we're still losing the user education battle where most exploits are actively assisted by the user.
Are you sure you fully understand XSS? The whole problem with XSS is that it works within the browser's security model. Sandboxing is a totally separate issue.
