What attack vectors does arbitrary JS on a user profile allow?

Consider a site for frontend devs/designers to host their portfolio apps – pages with arbitrary JS, each hosted on a user’s separate profile.

What attack vectors would that enable against the site? Some suggestions and comments:

  1. Defacing the site (user’s own profile, not interesting)
  2. Phishing (by rewriting the UI to ask for credentials while using the safe domain)
  3. Credential theft of user logged-in users, by pulling auth cookies (irrelevant if auth cookies are HTTP-only?)
  4. Request forgery (by triggering a POST request from within the approved domain)