I agree with your position. Essentially, we should be able to customize the presented embed code. Maybe open an Idea for that.
Because SCRIPT tags themselves are discarded you can't insert runnable code. I did a demo a few months back using a "smuggling DIV" where, as you suggest, I transported config data the client in an invisible part of the form. In theory, you could smuggle an entire block of JS there and eval it on the client.
Or rather than trying to actually embed stuff in the form (which also means it can be altered by non-technical users) create a master "form-extensions.js" with all the API calls for all your forms. Have forms be hidden by default in your global CSS, and the first things form-extensions does is add a CSS rule to show Marketo forms (that way, you can't get a visible form without including that script, which is a none-too-subtle reminder) and also adds all the API code.
.png)