These bindings, along with the other class-constructor-cum-type-name bindings, are immutable in ES4. That helps JSON integrity/security, but it is not enough: an inner scope could contain shadowing Object and Array bindings, and per ES3, these would be used ("as if by the expression new Object()"), and possibly you'd be hacked.
This is an incompatible change to ES3, but it seems like a necessary change for integrity. It might break clever but benign code, but I know of no examples on the public web. And it seems that not only Opera, but IE and Safari as well, do not follow the ES3 spec:
http://www.webappsec.org/lists/websecurity/archive/2007-08/msg00091.html
So this should break at most some odd Mozilla-only code that rebinds or shadows Object or Array in order to change what object and array initialisers construct -- if any such code exists.
This could start as a Spec bug and morph into a RefImpl? bug, or the other way around. I'm trying Spec first. Comments welcome.
/be