a) Available to sysops of particular project only
No, it applies to all user scripts. I doubt that every user who is including them in their profile is doing a security audit of the JavaScript.
b) Monitored, is in watchlists and under revision control.
see a). User scripts are not in revision control (apart from the MediaWiki history).
c) General codebase is constantly monitored for XSS problems.
see a). This alredy applies to user scripts. The reverse proxy will not open any new security holes. I could already hide code which sends the session keys through embedded iframes to any server in the world in my user Javascripts, such as the WikiMiniAtlas (which is even included by default).