Further, there's no requirement that a tampermonkey script be open-source. They usually are, but so are the regular extensions I choose to install.

I don't know about chrome, but Firefox also allows automatic updates to be disabled on a per-extension basis.

I'm a fan of userscripts but lets not pretend they're magically better.

There is a block and allowlist for which sites can it run.

For example Firefox can't even control on which websites the extensions run. This is stupid and bad. Tampermonkey just does this thing right too.

Edge at least has an allowlist, if I'm not mistaken.

The permissions to run scripts in the context of a webpage (i.e. full access, what tampermonkey does) are gated on a per-site level.

E.g. here's the "bypass paywalls" extension requesting permission to inject content scripts into particular domains sites: https://github.com/iamadamdev/bypass-paywalls-chrome/blob/c6...