I agree that the script should never assume the client is secure, as an essential component of a security-in-depth strategy.

However, a secure client really is necessary for making sure only authorized users use the script. A compromised computer may be under an unauthorized user's control, but have a permitted IP address and access to the password or the SSL certificate.