AMZN://java/trap?trapped=yes
"...you don't even need a web server to host your application."
First off, there has to be a web server involved somewhere, that is just a matter of reality (unless this starts with FTP or NNTP or some shit like that...AMZN:// ?). Depending on how you mean "server", a web server isn't just about <tags>, it can add a level of security. And what about XSS attacks? With this much dependency on JS can these be exploited even further or slicker than in the past? (I really don't know the in's and out's of XSS, so they're real questions, not rhetorical).
I guess in the end, no web server equals 1 less security risk, but also 1 less security level. So this changes nothing, well of course besides locking customers further in.