Looks like some major ‘sploits have been identified for GreaseMonkey:
“…In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.”
(From [Greasemonkey] greasemonkey for secure data over insecure networks / sites thread on GreaseMonkey developer list)
The general agreement on the list is to totally disable or uninstall GM for the time being… Eeek.