Same-domain policy 101
> No, it doesn't run "in the context of the page". It runs in the context of the google.com domain.
> Similarly, they can't modify it to steal the admin login from the change.gov website.
Not that they would, but yes they could.