If you build a webmail client, you need to know all about these attack vectors, and you need to go out of your way to prevent your application from being susceptible to them. Websites are insecure by default.
I don't trust a web browser with my email at all. Not yet. If I were to use webmail, I'd make sure to set up a separate instance of Firefox to run it in, with it's own profile. I will continue to use Thunderbird for now though.
I'm not against the idea of using webmail, I just don't think the web is secure enough yet.