I would like to hear someone who is in favor of JS MVC explain how you deal with security.
If your controllers contain business logic and they are all JS then you have a security problem.
Or are people backing their controllers with other (non extjs ) controllers ?
Client-side Javascipt is inherently insecure. The server should always be responsible for security in a web application.