In my opinion it is much cleaner to distribute your code as an iframe and expose a postMessage API if for some reason your users need to interface with your code dynamically. This is more or less what facebook does except they have you pull in a js wrapper around the postmessage layer to help developers who aren't familiar with postmessage.
As a developer using someone elses library this makes me feel much safer as I'm not actually pulling in your code and giving it access to my application data, I'm instead able to count on the browser to sandbox your iframe and keep my users data private to me while keeping your code and data private to you.
Iframes have great security sandboxing and postmessage was created to allow safe interfacing between two pages with different domains, its simple and it works.