As a developer of an extension I can attest to the fact that 'review' takes less than 1 minute when you upload new version. I think it's safe to say that there is no upside to the bs walled garden.
It's really hard to overstate just how easy it is to exploit the garden. The extension API itself limits the system-wide mischief you can get up to, but if you have an extension with 100k+ users (either because you created it or you bought it from its original developer), it's extremely easy to slip something malicious in there, and you have a lot of data at your fingertips to sell.
I wish there at least seemed to be some degree of review or reasonable sandboxing here. The closest they come is disabling eval-style behavior in 'background' scripts, but there's nothing stopping you from running command & control scripts from a remote origin in a non-privileged context and then getting up to your evil mischief anyway. Or injecting malicious code directly into gmail tabs.
There is an automated validation process and occasionally (very rarely) your update will get flagged for manual review. This will prevent you from uploading known malware samples and supposedly some other suspicious stuff as well. This might be good enough to prevent extensions from exploiting Chrome vulnerabilities. But spying on users or injecting ads into webpages? Even if the validation attempts to detect this kind of behavior, gaming it would be trivial.
