For the interim, may it be a wise idea to include an inlined script at the very top of any page which includes untrusted 3rd party code, in order to overwrite the Performance tools by a wrapper? By adding some random to the real numbers this may help mitigating effects ...

E.g.,

  (function() {
      var global = (function() { return this; }).call(),
          _Performance = global.Performance,
          _performance = global.performance;
      global.Performance = /* ... snip ... */;
      global.performance = /* ... snip ... */;
  })();

[Edit]: This could be injected by a browser-plugin on the user's side, as well.