a Javascript function could set the value to a known file location and submit it, and presto, some vital file from your hard drive has been whisked off to a server you don't know.

This hypothetical is no different from what theoretically could happen with the current DOM-integrated file upload form element. As it happens, secure modern JS implementations do the right thing and do not allow the behavior you describe. I am no big JS apologist but I happen to be reading O'Reilly's "Javascript: The Definitive Guide" and this specific issue was just covered.

I would welcome adding directory-upload functionality to client-side JS.