Yes, this is one of the concerns. In theory a browser addon should take a while for the bad guys to update and publish, but are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days. I know Mozilla takes a pretty hard stance against this sort of thing, but it's not all caught in review. And then there's the electron style apps - those should be static too, right? right?? Also not a safe assumption. And yes, there is a pure-web UI where the code is downloaded from their servers.
> are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days
This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.
The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).
Anyway - it's not a good position to be in.