It's 2014, most sites assume javascript, and the "graceful degradation" is never "graceful".

Me and all people doing front-end work I know of, who even care for any kind of "graceful degradation" (that's a minority of front-end-devs!), always go over "the layout breaks and some fonts are wrong for users with javascript disabled" with "but they cans still click the links and read the text, so we'll just leave it this way" (because the alternative will be putting at least 3x as much work into it, and nobody would pay us for it ...just as nobody would pay for a website without "live filtering" and "ajax loading" and all nowadays).

So you're basically choosing a stone-age-degraded-experience to be able to spare some CPU cycles.

(the security and privacy arguments are valid though, and you're 100% right on these... but as more and more sites become SPAs, you'll basically have no choice than whitelist more and more untill you'll have to whitelist everything)

NoScript gives you a chance to evaluate a site for trustworthiness. Yes, you have to click 1-2 times when you load a new domain that you trust, but it's worth it for that one site that looks sketchy or that you get mislead into clicking onto. For people who automatically execute JavaScript, it's already too late, but NoScript users have an opportunity to avoid this cantankerous situation.

NoScript will expose phishing schemes immediately, for instance, because it will recognize that the scripts being executed are not coming from the previously-whitelisted domain for Google.

>you'll basically have no choice than whitelist more and more untill you'll have to whitelist everything

Even if that is the case (which I do doubt), if it means I still have google analytics, advertisers, disqus, and random dodgy sites I've never before visited blocked (e.g. when a site gets compromised by injecting malicious javascript), I don't mind.