I am not expecting a definitive and complete fool-proof list, since security is an extremely complex issue, so that would not be realistic, certainly not in a format like this.
I am also not looking for a list of attacks: If anything, a list of things to avoid attacks.
I am aware of authoritative sources such as Mozilla’s Types of attacks and others, including entire libraries on the topic. However, those are deep descriptions of types of attacks, but certainly not focused on mere userscripts for e.g. Tampermonkey, and also not on practical tips, which is what I am specifically aiming to. Or at least I have not been able to find something like that.
One example: In this answer, @Bergi says: ...beware that it is possible for hostile webmasters to follow unsafeWindow usage back to the script's context and thus gain elevated privileges to pwn you with.
I am looking for a humble practical set of at least some top priority guidelines to be able to say “my script does not have a security loophole“. I suppose someone saying so would have gone through a reasonable set of well-known practical things. Well, I would imagine so.
So, when coding a userscript, for the likes of Tampermonkey (or other “monkeys”): what are the minimum (at least some) obvious things that I should go through, that my code should -or should not- be doing to avoid “security loopholes” (for example a webmaster attacking my script) without having to complete a Phd thesis to prove it?