Like I thought. If sites are build to work with JS then it's normal that most things get messy. What could be a possible alternative to JS so we could avoid those problems like malware and tracking?
The genie is out of the bottle now. Security and privacy are an ongoing battle. There is no solution, you can only be vigilant and try to keep out blatant attempts - like people hosting javascript files within iframes or ad agencies that use know addresses. Browser extensions like NoScript, uBlock, Privacy Badger do a reasonable job stopping unsophisticated attempts and also help prevent downloading MBs of resources from god knows how many other sites. There is no safety or privacy online. Five Eyes watch literally everything you do and they share their data to circumvent local laws. Advertisers create ever more sophisticated methods of tracking you.