Having your 'brain turned on' while browsing wouldn't really change the efficacy of this exploit.

A site is on the default whitelist of the addon that can contain a malicious payload. Any site on the internet could therefor have a link to this payload. Granted, I'm not sure what sort of malicious JS payloads there are, other than crashing a browser, that doesn't involve some XSS.

If you browse with NoScript in default-deny mode, you're probably also the type to use RequestPolicy which would prevent irrelevant sites from running a script off vjs.zendcdn.net

NoScript isn't a comprehensive security/privacy suite. It's just a crucial component.

RequestPolicy won't save you if the link is to a subdomain of vjs.zendcdn.net which is whitelisted, but also the site you're visiting.

Right, if you get tricked into visiting the site then first-party scripts can run. But with XSS protection intact and RequestPolicy preventing any third-party access, the scope of possible attacks is pretty narrow.