There’s not really a flaw (that I know of), so sorry for the theatrics. Just thought that would be a good draw.
But really, there is a human problem from which NoScript cannot protect you. What if you have setup a website as trusted through NoScript, then that site gets compromised? If there is malware in the compromised site, it is possible that your trusted relationship will allow that code to run and infect you. Yes, there are extra protections built into NoScript to protect against even trusted sites (see screenshots below), but this is still a problem if you have a site in the whitelist and it gets compromised.
This seems obvious now that I see it, but I never thought about it until Alan’s blog got compromised. My advice would be to whitelist as little as possible and to use the temporary allow feature for everything that doesn’t cause you severe headaches.
NoScript Advance options: