[zzzcpan]

> You cannot "pierce" into a shadow DOM from the outside

Why not? You can inject any script into a meta header on document start from an extension or do the same in an intercepting proxy.

[ameshkov]

Shadow DOM is created dynamically using "attachShadow". You can try overriding Element.prototype.attachShadow, but this is easy to detect.

[zzzcpan]

Well, currently adblocking is already full of such easy to detect overrides, and extension APIs already have plenty of limitations on what they can touch and replace allowing websites to easily bypass most of the overrides, but they do work at the moment and websites don't bother.