Trust enforcement, sync data-safety, and backup slimming.
Security
- Subresource Integrity "Require" mode is now enforced — refuses to run any @require/@resource without a verifiable SRI hash; the install review flags every un-pinned dependency as "unverified remote code".
- Scam / crypto-drain detector — flags wallet seed/private-key access, drainer keywords, and wallet transaction requests, with a high-severity "possible credential/wallet exfiltration" finding when a script harvests secrets and sends data off-page. Benign wallet-adjacent scripts aren't flagged.
Data safety
- Cloud backup no longer clobbers the sync envelope (distinct object per provider) and encrypts under E2EE.
- Easy Cloud sync received the merge fixes: restored-from-trash scripts survive, clean 3-way merges aren't discarded, correct 3-way base.
- SettingsManager write-race fix — concurrent settings writes no longer drop a freshly refreshed OAuth token.
UX & storage
- "Only on This Site" one-click scope in the popup + @match validation in the dashboard editor.
- Backup blobs are gzip-compressed in IndexedDB (transparent, backward-compatible).
Full detail in CHANGELOG.md. Remaining roadmap items (on-device AI, optional host permissions, GM.fetch streaming, per-script cookie jars, git/local-folder sync) are larger bets deferred to dedicated sessions.