Same-domain policy 101
> No, it doesn't run "in the context of the page". It runs in the context of the google.com domain.
Yes, it does. When JavaScript is SRC'ed in, it executes in the context of the host domain, not the origin of where the file actually resides.
> Similarly, they can't modify it to steal the admin login from the change.gov website.
Not that they would, but yes they could.
Go read:
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1238653,00.html