Following reductio ad absurdum, that's the case with any programming language. When you enter your credit card information or whatever information into an application (say Amazon.com), it's you who is entering or someone who already knows it so stealing would be redundant.
However, in all seriousness, I guess you are talking about something called a global variable leak where you can access variables like these:
var a = 'test';
Alt + Cmd + J and console.log( a ); Yeah. It will work.
However, if there is global variable leak, then it'll fail the security assessment (in case of credit-card data) or it'll be removed in the code-review process (in other cases).
Since functions execute extremely fast (depending on the complexity and your computer's clock cycle), it'll take you nanosecond precision to capture the memory address of a variable and then get the information. By the time you do it, the data will be considered stale (see XSRF on why this is done.)
Lastly, most of the times, the JS script (tautology?) handling such interactions is wrapped in an immediately invoked function expression which expose an internally-scoped (and they're, by extension, "protected") functional abstractions to manipulate and mutate your data.
I hope this answers it. I'd be glad to help you further with this! :)