By default Greasemonkey can access all data on all pages. With extensions being routinely compromised to steal crypto that’s starting to look like a bad deal. (If you limit it to a single domain in Chrome it will nag you to unlock it on Chrome startup forever)
I only use a few and they're simple enough I can read them before updating to see if they're bringing in something weird. Also in GP's case they could just write their own since they're already making them. No exploitable surface there if it's not a remote updatable script.
It's not the bookmarklets that OP is warning about, it's the risk that the GreaseMonkey extension itself becomes compromised. Basically, it's good browser hygiene to keep the number of extensions you have installed to an absolute minimum.
A bookmarklet alone isn't so much a concern, both because it doesn't run automatically on all pages (only when clicked) and because, as you note, you can usually pretty easily audit what you add and you don't get automatic updates.
By default Chrome can access all data on all pages. With browsers being routinely compromised by advertising companies working against your interest that's starting to look like a bad deal.
This is an important point. The only solution we're ever offered for security concerns is centralizing more and more control in the platform companies hands even though those same companies are increasingly abusing their power.