In my humble opinion, there is no situation that would merit javascript injection that would not rise to the importance of fully disabling someone's internet connection, if only temporarily.
Case #1: Malware. Full disconnect, redirect to explanation.
Case #2: EOL hardware causing interference. Full disconnect, redirect to explanation, method to rectify.
Case #3: Consumer not getting what they paid for: email me/snailmail.
I think the RFC makes it clear: this should not be for trivial notifications, only critical notifications, and if it is truly critical, it should disable the entirety of the connectivity until the user acknowledges/remedies/whatever.
Case #1: Malware. Full disconnect, redirect to explanation.
Case #2: EOL hardware causing interference. Full disconnect, redirect to explanation, method to rectify.
Case #3: Consumer not getting what they paid for: email me/snailmail.
I think the RFC makes it clear: this should not be for trivial notifications, only critical notifications, and if it is truly critical, it should disable the entirety of the connectivity until the user acknowledges/remedies/whatever.
I call shenanigans.