If you can run arbitrary JS on the Google login page then you could simply intercept the form submission and steal the credentials... Am I missing something?

Is the ability to move elements preserving DOM state really the key to such attacks? Previously you could do the same but the iframe would reload - but if it's a small simple page, it could load very quickly, in which case it doesn't seem all that different to moving the iframe with its existing content.

> I could imagine doing a bunch of weird stuff where you don't know exactly what box you're typing in to.

What stops malicious JavaScript that would have used moveBefore() to just add key event listeners?