> I suppose that once a page includes third-party scripts, it already gives them the key to its kingdom, like sniffing anything from DOM or altering it in arbitrary ways
No, loading a script (from anywhere) effectively invites it into the origin of your page, giving it access to everything connected to the origin of the page. That is, the origin of the script is not considered, only that of the page.
Think about loading jQuery from a CDN, for example, which people do. If third-party scripts couldn't access the DOM it wouldn't be very useful.
doesn't same origin policy prevent this?