1. Malicious code isn't always obvious, even to an extremely trained user. (E.g., https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
2. Other code (e.g., your browser) can have vulnerabilities that the client can exploit. This could happen in such a way that the target code doesn't actually execute something that's visible in its source (like with return-oriented programming for buffer-overflow attacks) and the attack itself doesn't even look like code- like a string token input or something that doesn't fully show up in the source.
So Fizzer's phrasing makes sense 'cause the eye test doesn't give you any guarantees. Every time you install an innocuous-looking piece of software, you should also be aware of what it can do if it turns out to be malicious. Can't speak for userscripts specifically, but there's ways to sneak malicious code past reviews especially if those reviews are coming from end-users. The point is that, with all the permissions userscripts get, it's probably not that hard for an experienced/motivated attacker to write something that convincingly looks like it's a smiley-face script but actually hacks your account and makes you constantly post threads about Donald Trump on the Off-topic Forum.
Err on the side of paranoia.
Edited 4/22/2018 03:26:35