The word userscript makes me think that it injects js onto the page? If that's the case, couldn't existing js hijack that? Sounds unsafe.

Yeah, the name is a bit unfortunate - it's coming from dwb[1] which I think also invented that concept, and was the main inspiration for qutebrowser.

[1] https://portix.bitbucket.io/dwb/

Interesting, might give it a try again.

Qutebrowser userscripts aren't in-page JavaScript at all. They're external scripts run by the browser to control its behaviour.

http://qutebrowser.org/doc/userscripts.html

It looks like they're written in python.

Not necessarily - any language which can read environment variables and write into a file should work. Most existing scripts are using either Python or Bash though.