I'm not entirely sure how someone can prevent the publicly available Google Analytics code from getting hijacked. The author is claiming the sites responsible aren't even going to his site, just using, again, publicly available information (GA JS code and his very public API key).
Really, it sounds like the author is claiming that JavaScript only analytics solutions are the problem, not that GA is inherently bad (clickbait title aside).
Beyond that, as a few people have stated ITT, most of your GA reports are pure fiction already and it's worse the larger your site is. If a significant fraction of your total data is garbage, you aren't going to get much out of it, even if you can clean it up.
You still would like to know who is referring you. You can still filter those out one by one but it becomes a tedious war against spammers (very similar to the one on emails before the spam filters era)
If those sites hijacking your code aren't actually linking to you, then the visits that show as referred by them are presumably visits staying on those spam sites. In which case by filtering out those visits, you'll also filter out the referral sources for those visits, no?
(It's been a while since Analytics was anywhere near my personal work, so could be wrong here.)
They're not real visits. They're directly sending requests via the analytics api. The spammers can very easily spoof the domain so it looks like it was a visit to your site, not their domain.
Just create a view filter that ignores traffic on any hostname other than yours. That's it.