There is an automated validation process and occasionally (very rarely) your update will get flagged for manual review. This will prevent you from uploading known malware samples and supposedly some other suspicious stuff as well. This might be good enough to prevent extensions from exploiting Chrome vulnerabilities. But spying on users or injecting ads into webpages? Even if the validation attempts to detect this kind of behavior, gaming it would be trivial.
