This is still something of a problem of Chrome's own creation though.
The reason Chrome can't be much, much more restrictive about what extensions get placed in the store is because there is no alternative. The less important your store is, the more exclusive (and safer) it can be.
Look at Linux with package managers like AUR. If a package isn't included in the official Arch repos, I generally don't mind. I can go install it if I've vetted it myself. What that means is that Arch can be a lot more restrictive about what they include. They don't really need to provide a bunch of justifications, they can just say they had a bad feeling or haven't gotten around to looking at it.
If the goal is to have safe spaces where users can be certain that they won't ever run into malware, the space maintainers need the freedom to be very restrictive. Google doesn't have that freedom with the Chrome Web Store specifically because getting banned from the Chrome Web Store is a massive deal -- they can't just decide to prioritize safety over everything else.
Small, optional safe spaces that people can opt into will always be better filtered, better moderated, and overall safer than a giant space that's forced to balance between freedom and safety for every single user at the same time. Moderation doesn't scale.
I don't think their priority is making a specific area where users are free from malware; they're trying to make it hard for malware overall to integrate with Chrome. Adding a supported path for software to integrate with Chrome (allowing extensions not through the store) where they can't block malware would be giving up on that goal.
> they're trying to make it hard for malware overall to integrate with Chrome
That's a reasonable argument, and you're probably right about their motivations. But I'm not convinced that's a realistic goal, because the definition of malware/spyware changes depending on the context/user.
The big reason moderation doesn't scale is because you're forced to balance everybody's needs at the same time -- you can't optimize for any particular user. If the end-consequence of an exclusive web store is that it's much harder for the Chrome team to ban shifty apps without everyone on Twitter asking for a bullet-pointed list explaining why, then the Chrome team isn't really making the world that much safer.
In general, I would advocate that it's better to try and build safe spaces rather than safe worlds. That's kind of a pragmatic philosophy: I'm having a hard time thinking of an existing safe world that I think runs well. All of the major app stores (including Apple's) have malware problems to at least a certain degree. Most giant social networks are not doing a good job of moderating content. Package managers for languages like Node and Ruby are running into the same issues.
Maybe the web itself? But the web doesn't get its safety from moderation, it gets its safety because of sandboxing.
If I'm thinking purely as a consumer, what I really want is an extension store where I know 100% that everything on it is fine. I don't want to have to think or read reviews or look up the author before I install an extension. I want it to be clear when I'm being safe and when I'm doing something dangerous. I suspect that's what a lot of consumers want, and I just don't see any realistic path for Chrome to provide that with their current strategy.
I get that "somebody might choose to leave the safe space and install malware anyway" feels bad, but if the consequence of avoiding that is, "everybody gets kind of substandard protection all the time", maybe it's worth questioning whether Chrome's malware goals are worth pursuing in the first place.
The reason Chrome can't be much, much more restrictive about what extensions get placed in the store is because there is no alternative. The less important your store is, the more exclusive (and safer) it can be.
Look at Linux with package managers like AUR. If a package isn't included in the official Arch repos, I generally don't mind. I can go install it if I've vetted it myself. What that means is that Arch can be a lot more restrictive about what they include. They don't really need to provide a bunch of justifications, they can just say they had a bad feeling or haven't gotten around to looking at it.
If the goal is to have safe spaces where users can be certain that they won't ever run into malware, the space maintainers need the freedom to be very restrictive. Google doesn't have that freedom with the Chrome Web Store specifically because getting banned from the Chrome Web Store is a massive deal -- they can't just decide to prioritize safety over everything else.
Small, optional safe spaces that people can opt into will always be better filtered, better moderated, and overall safer than a giant space that's forced to balance between freedom and safety for every single user at the same time. Moderation doesn't scale.