That does surprise me. Chrome is a cross-OS application, it runs on Windows/Mac/Linux, right? And things like extensions are all internal to the browser. Why is a scanner for bad settings and bad extensions bound to a single OS?
Chrome provides hooks to allow Windows to force extensions into it through Group Policy et al. Good for corporate IT, bad for protecting yourself against malware.
The key insight is that Chrome itself is programmed to have quite-limited permissions—it not only heavily sandboxes itself, but it also does what it can to avoid requesting any powers from the OS that could be used to do damage in the first place, if one were to break out of the sandbox. (This also has the side-benefit that Chrome doesn't need any of those "scary" UAC elevation prompts during installation, which probably helps their funnel to an extent.)
This means that Chrome actually doesn't have any of the permissions required to weed out the GPOs responsible for feeding it malware extensions. Even if the Chrome process wanted to reach out and blow them away, it couldn't. So they created this separate program, that does do "scary" UAC-elevation things, to help out.
(What they could have done is package this program into the Windows Chrome install, make it headless, and make a button in the Chrome settings that would spawn it and then interact with it over IPC, displaying the UI on the Chrome side. They could have, further, made it just-in-time download the component—as, IIRC, Firefox does with its Hello component—which would have eliminated any install-time size overhead to this approach.)
It's technically possible for Chrome to have this problem on other operating systems as well, but in practice their telemetry shows the vast majority of malware which installs things into Chrome is on Windows.
