these same risks exist with any app. totally agree its a valid concern and deserves more than a footnote, but i don't think that counters anything that the author is praising about extensions specifically.
at least extensions exist within an ecosystem where they are subject to manual review and approval / removal. and in terms of updates, any changes to the permissions show a prompt to the user as though they were newly installed
Manual review doesn't work. The volume is too high, and subtle trickery is too easy.
To first order, there is no permissions model for browser extensions. You should assume that an extension can see and do everything that your browser can see and do.
This is also a huge problem with mobile apps, but the problem is at least acknowledged, and there's some degree of permissions and sandboxing, even though it's not completely effective, and even though most apps ask for every single permission anyway. But in general, yes, you should take a similar approach to mobile apps, and only use the minimal set that you absolutely can't live without. Don't install games or stupid shit. We already know that basically every weather app on Android contains malware.
This is also a problem in free-for-all developer library ecosystems like npm, as we keep seeing. Popular dependencies get taken over or sold and then all of a sudden lots of servers are running malware.
Software may be eating the world, but it's really important to know what software you're actually running. You can't just build a house of cards and hope for the best.
Yeah, I agree. It's not perfect, but it sure helps. This is also why a lot of the big open-source distributors (e.g. Debian) are working towards fully reproducible builds.
at least extensions exist within an ecosystem where they are subject to manual review and approval / removal. and in terms of updates, any changes to the permissions show a prompt to the user as though they were newly installed