All the JS API provides is a way to give the user a savepoint on his history that he can go back to, correlate with others on the browser history, or do whatever he wants.
This is only a security issue because the browser developers want it to be. There's nothing on the standard saying that when you click back, it should go to the previous link inserted by JS, or that there must be a single button for everything, or that every site is treated the same way.
Anyway, removing the quite useful possibility of the browser remembering the history of the usage of an application won't solve the issue of browser innovation being destroyed or of malicious sites using any loophole available to get something out of you. For that we need browsers and basic web infrastructure that are focused on supporting your needs, what the current crop clearly isn't.
This is only a security issue because the browser developers want it to be. There's nothing on the standard saying that when you click back, it should go to the previous link inserted by JS, or that there must be a single button for everything, or that every site is treated the same way.
Anyway, removing the quite useful possibility of the browser remembering the history of the usage of an application won't solve the issue of browser innovation being destroyed or of malicious sites using any loophole available to get something out of you. For that we need browsers and basic web infrastructure that are focused on supporting your needs, what the current crop clearly isn't.