The userlogin page does disable the MediaWiki:Common.js and
However if a user has selected gadgets using specialprefs
and re-visits the userlogin page after logging in (perhaps
to switch to their other-other account :p) a malicious
gadget could go south with the password, just as easily as
is disabled for (I thought) the same concern.