Hi!
No, it applies to all user scripts. I doubt that every user who is including them in their profile is doing a security audit of the JavaScript.
Only if user is including them in his profile. Other users can't include anything into user's profile. User can use greasemonkey to load any scripts they want too, we won't protect against that.
see a). User scripts are not in revision control (apart from the MediaWiki history).
MediaWiki history is revision control ;-) And I'm not talking about user scripts, I'm talking about site-wide scripts.
see a). This alredy applies to user scripts. The reverse proxy will not open any new security holes. I could already hide code which sends the session keys through embedded iframes to any server in the world in my user Javascripts, such as the WikiMiniAtlas (which is even included by default).
User javascript is user's problem. Site-wide (all-projects-wide) javascript is serious threat to site, especially giving uncontrolled unmonitored access to that.
By not seeing this, you guys confirm that this should not be enabled ;-)
BR,