It's creepy indeed. Not only do they collect all your actions (key presses included) but I believe they also send the activity to their servers via HTTP, rendering the SSL on the page that includes their script, useless.
Modern browsers should block all backend/javascript http communication if the main request is made over HTTPS, unless you specifically disable it with a Content Security Policies.
Better to just disable javascript altogether. Sure, there's no dynamic loading of garbage, but I didn't want that anyway. If your back-end server can't render HTML then you need to build an app.
At least with native desktop apps I can put that garbage into a VM or container. Load whatever you want. I can then apply my own firewall/containerization/VM rules.