I know that Javascript is an incredibly unsecure way of programming a persistent game, where for instance you are doing battle calculations in an RPG and then award XP through l
In short, you can't trust anything sent from the client, so the answer is yes - you gotta do the work on the server side.
No matter what the game, whether JS or native binary, if the scoring system is vulnerable, people will tamper if the game is good enough. Stick to clever serverside every time.
Anything that's not on the server is inherently insecure. After all, it only takes a telnet connection and the user can send literally anything they want to your server.
Unfortunately, HTML5 doesn't change these basic properties in any way. So no, you have to do it all server-side.