Hm not necessarily. You "just" need to get code onto the system that is somehow being loaded into the gpg process or has the ability to load code into a gpg process.
Of course, still orders of magnitude harder than just modifying the js bundle, but not a counter-example.
Snake oil is just a fundamentally wrong label for the issues OP is seeing, even though those issues are of course real and relevant.