Scripts can do almost everything, for example replace the whole page with login page identical to the real and send entered password somewhere. Leaking session identifier is bad, but it's not as severe compared to other things scripts can do.

True, but your example is very targeted at a specific page. With local storage, you can have a simple short function that works everywhere and just sends everything back to your server. No need to specialize, works everywhere.