Common--and good--advice is to not trust the client. If an organization has no control over the client, as is the case in web-based client-server applications, the client is not trustworthy. The Milwaukee Journal-Sentinel's Packer Insider is a very good low-stakes example of a site that has gotten this wrong. The Packer Insider is intended to be a subscription-only service, but I was reading it for a while, perhaps a long while, before I realized I was reading for-pay content.
If I visit http://www.jsonline.com/sports/packers/ in Firefox I get full access. If I visit it with Opera or Chrome, and click one of the Insider links, I get a login screen. What's the difference?
So, if I disable scripting, I get a much cleaner, more pleasurable view of the Journal Sentinel's Packer pages. As a side effect, I also get access to the Packer Insider materials. This is due entirely to poor security architecture at the Journal Sentinel's site, and, IMHO, strong evidence that the design was not done by an experienced professional. OTOH, there may have been other constraints making this desirable, and they may not actually care. If I were to lose access to these pages, I wouldn't really care because the Green Bay Press Gazette has comparable content that's openly-available.
As an aside, there are those that think it is bad to disable advertisements that support web sites. I have sympathy for this view, but I don't want their scripts running on my machine, eating cycles, providing animations which make it difficult to concentrate on the actual content, and, in extreme cases, making noise or damaging my system. I will aggressively block Flash, animated GIFs, etc., that damage the user experience.
This shows a general advantage of server-side over client-side scripting. Providers have a better idea of what their pages look like on the client side if they use server-side scripting--which is controlled by the provider--rather than client-side scripting, which is controlled by the end user, the browser, malware, etc.
Summary: security must be on the server side.