Oh I just needed to read a little further (oh Github, you're awesome):
https://github.com/blog/1477-content-security-policy
The answer is yes! User configured scripts should always be granted clearance! (but we are off to a rocky start it seems)
I actually think there's significant opportunity for social engineering happening here; "Install this bookmark in your browser to use our cute emoticons in forums!" "oh bookmarks can't be viruses, right?"