No magic is needed, but correct understanding is. First, blocking all 3rd party connection is unrealistic; what is required to prevent some of XSS is not to noop domains of your important services (e.g. account.google.com, email.google.com, etc. for Gmail) globally. Second, even if you block all 3rd party requests, it does not prevent you to click a link to a victim site w/ crafted parameter, resulting in XSS as 1st party. You don't need to trust me or anyone, just learn how XSS works. And hard mode is practically weaker than medium mode, as you need to noop many more. BTW uBO works smoothly even on my 12y old laptop w/ 3GB memory. I strongly oppose to apply any tweaks you don't understand.