It's not the JavaScript engine that's the security risk, it's that in order to run the new JS engine, the app running it has to be able to execute code from writable memory. This is where the security risk lies, and it has always been forbidden, for all apps. Safari can get an exception, since Apple obviously trusts its own code not to be malicious. But 3rd party apps still won't be allowed to execute arbitrary code from memory, so any apps embedding a UIWebView to present a browser can't get the performance improvements of the new engine.
The only real question is why Apple's own app that's used to display those saved-to-home-screen webapps didn't get an exception alongside Safari. My guess is that the Nitro engine is built directly into Safari and that the UIWebView control (which is used by webapp viewer app) simply can't use it at all, regardless of ability to execute writable code. I'm sure this will change, either the viewer app will get rewritten, or UIWebView will get its own sandbox etc. They probably just didn't have the time to do that yet.
The only real question is why Apple's own app that's used to display those saved-to-home-screen webapps didn't get an exception alongside Safari. My guess is that the Nitro engine is built directly into Safari and that the UIWebView control (which is used by webapp viewer app) simply can't use it at all, regardless of ability to execute writable code. I'm sure this will change, either the viewer app will get rewritten, or UIWebView will get its own sandbox etc. They probably just didn't have the time to do that yet.