When I run Bro 2.0 with just the script "protocols/dns", it pulls in (among
other things) frameworks/packet-filter/netstats.bro , which strikes me as
definitely something optional rather than necessary. If I wanted to
suppress that behavior, how would I do it?
Vern
That's a good point, I think you've identified a place where we don't want a script to be loaded by default. We're including a local.bro script with Bro now too that's intended to be edited locally after installation as a "recommended" load set so we can do recommended loads there and not make them load by default anymore. I'll change that now and keep the list of odd-to-load-by-default scripts coming. 
My comment to Robin yesterday was that you can think of the new site/local.bro script like the old brolite script except that it's meant to be edited now.
.Seth