If you don't want LSOs, disable cookies, too. It's exactly the same thing. An LSO cannot do anything itself ; it's just a file, and the site that created it (and only the one that created it - www.example.com can't read www.example2.com's LSOs) can write in it or read it.
If the Photobox webmaster wanted to take your credit card number (I don't know anything about Photobox - I assume there is some kind of paid accounts ?), he could do so by lots of ways - cookies, LSOs, javascript, ...