Most are short at least, if you know js you can actually skim for blobs, URLs or obfuscation (blobs or URLs can be legitimate, just without them I feel quite safe right away).
Feels way safer than installing an add-on from the store, but of course just for me as a programmer.
On the user's side: Treat userscripts like stuff you paste in the browser console.
In terms of actual tech: GreaseMonkey (and probably also Tamper-/ViolentMonkey) does some sort or isolation between the userscript and the page so that the page can't hijack the userscript. More on that here: https://wiki.greasespot.net/UnsafeWindow
Feels way safer than installing an add-on from the store, but of course just for me as a programmer.