I actually didn’t know about setTimeout using strings to eval, but it seems reasonable.
Tampermonkey can actually run scripts before the browser loads the JS, so if the user chooses to do your logic is now invalid 
Plus, it’s actually a bad idea to do that and it doesn’t really matter anyways.
Why try to prevent the user from executing code on their own browser?
It doesn’t make sense… there will always be ways to do stuff like that.
Also, IDK if you knew this, but asm.js actually allowed you to run UNREAL ENGINE IN THE BROWSER!!!
Cewl right?
And webassembly isn’t as “dangerous” as you think. Just because it’s closer to “hardware” doesn’t mean anything.
You have access to the stack, sure. What difference is that?
I’ve worked with it before, as of now it’s pretty restricted (later on they may add DOM interface; someone found a way to call JS canvas functions from inside of WASM, which was cool).