Fundamental cyber hygiene
Today's web browsers have essentially no security at all. Not because browsers are poorly written, but because most websites would break if the most fundamental safety was enabled. Each implementation is forced to adopt all features out there no matter how insecure. Otherwise the users will just say that it's broken and install a less secure browser.
This is why my website does not use any scripts, so that there's zero incentive to disable your browser's security. You can also block all images from displaying, because each image has a text description for the visually impaired.
What visitors can do about it
Instead of blocking all ads that pay for the internet, just block their scripts and boycott any site that gives you a blank page for it. Both Github and Handmade Network offer JavaScript for additional effects to visitors wanting it, but both of them are fully functional without enabling scripts.
What web-masters can do about it
Stop making excuses for why you need additional privileges on the visitor's system. You can have more than enough style using plain HTML and CSS if you learn the basics. You can even have targeted ads using selected sponsors based on your site's content instead of stalking visitors with malware and exposing them to scammers. You can generate HTML dynamically from the server and do complex logic with databases that covers 99% of the use cases.
Using JavaScript on a website when not needing it, is like walking into a bank with a sawed off shotgun when not needing it. Thinking that one more website abusing what's available cannot hurt, is like thinking that another guy selling illegal weapons cannot hurt. Instead of following behind bad examples, think about how safe the internet could be if all good sites played by the rules.
What search engines can do about it
Allow users to filter search results based on how intrusive the site features are. Give better rankings to sites that can be browsed with security enabled.