Pens have a purpose other than surveillance, and aren't as capable as machines. A better analogy would be Bluetooth trackers and cameras with machine vision to identify and watch people's movements and eye gaze as they move around the store. And yes, that is creepy and the manufacturers should be criticized for creating it.

Also, client side scripts do not run on the website's property. They are taking advantage of the wide-open security model of web clients (the model they coincidentally get to define because they dump massive amounts of money into giving away a free browser, making competition in the space nearly impossible) to use people's computers for unauthorized purposes. It's a malware payload just like a crypto miner. They should be treated the same way (or more severely) that they would be if they published miners and told web developers to add them to get free money (taking their own cut of course). The operator and the tool creator should both be blamed for shady behavior when the tool is designed and advertised for shady purposes.