Firefox's click-to-play is still enabled by an about:config pref because its initial implementation is not a user-facing feature; it's targeted at disabling plugins for security vulnerabilities (like Java).

I believe a per-plugin setting is planned.

I like your suggestion for a basic whitelist for popular websites like YouTube and Facebook.