I think it’s important to keeps some perspective on the actual risks involved in running these types of scripts. At worst, you risk exposing data in the browser, in open pages or in cookies. If you don’t trust the script, and don’t trust the browser’s compartmentalization, then the simplest thing to do is not run the script.

You can take some extra precautions, and run the script in a “sandbox” mode. Restart the browser, and delete all sensitive cookies. Then visit the page where you want to run the script. You control when the script is invoked, either by running the bookmarklet, or by the Greasemonkey @include. When the script runs there is no data it can access except for what is in the current page. Is there anything in that page you wouldn’t want potentially exposed? Then don’t run the script. If the data is not sensitive then you are OK. Shut down the browser when you are done, and the risk is over.

For scripts like this, that look at a list of movies, or news articles, there is not much to worry about. On the other hand I would not use anything like this when doing online banking or stock trades.

Ultimately I think the browser security models will have to evolve to deal with these types of extensions, so developers can add enhancements, and users can feel secure about what is happening in the background.

I realize you probably do this to make code changes easier and more efficient, but such a practice would also be a handy tool for the malicious coder who wants to present innocent looking scripts so people will install them, only to change it later to do something else (as is suggested in above article)