Isn't bookmarklet just a script that runs on the context of the current page when you click on that bookmark? If so, the script has all the access to your data. It can steal your auth cookie or some keys from the local storage and send them to some server.

A bookmarklet is only invoked when you click it. Not on every fricking website you visit.

And it would just have to be a single line that you can read so you can trust it. Something like:

    javascript:location.href='https://discuss.com/'+location.href

That would redirect you to discuss.com where you can discuss your current url without discuss.com having any access to your data.

To make it more convenient, the bookmarklet could also add the discussion to the current page via an iframe which also has no access to any outside data.

But if you click on it, it will have access to all your data? There is no in between: either no access until you click or full access when you click.

This can be done already:

javascript:location.href='https://comntr.github.io/#'+location.href

True. Infra is already there, nothing prevents someone from making bookmarklet that uses the same database.