Let's assume HTML5 web page with (in)appropriate server-side background so that http://www.my-site.com/execute?query="SELECT * FROM Table" gets executed via AJAX and returns results. Not very smart, indeed.
But how about when in context of hybrid mobile app, i.e. HTML5 app inside iOS/Android/WindowsPhone wrapper/skeleton delivered as an application through appropriate store?
Q: Do we consider JavaScript safe when in context of hybrid mobile app?
I would say no.
If somebody looks at your network communication, or maybe if you accidently forget some debug logging, it's probably fairly easy to find out the url. And the query probably would also work when called in a browser (being mobile or desktop).
Of course you can ask yourself: how popular is your mobile app and would anybody even try to hack it. But I wouldn't bet on that.
Edit: we usually use something like a (REST) API, and the answer from the server is JSON which is then parsed by the client. Don't let anybody be able to type in SQL queries!
A: In terms of "security" on iOS: you can browse the device with e.g. iExplorer. On Android, there are also ways (rooted device or adb). Given the phonegap structure, your javascript would then be located in the "assets_www" folder or similar. So if somebody wants to, he/she can look at the javascript source just like on the web.