One more thing you can do is audit the source code of open source projects you use, and build them yourself where possible.
For example, Metamask is source-available and you can add it to your browser from the git repo rather than the chrome extension store.
You can also add it from the chrome extension store and inspect the source to ensure all files match the build, before adding any private key material to it.
I was arguing in a comment recently[1] that browser extensions should be required to be source-available, and the chrome store should take a role in verifying the bundle matches the build process defined with the source code.
It's alarming to me that this is not already the state of things, but as it is it perverts incentives for extension developers to a horrific degree.
For example, Metamask is source-available and you can add it to your browser from the git repo rather than the chrome extension store.
You can also add it from the chrome extension store and inspect the source to ensure all files match the build, before adding any private key material to it.
I was arguing in a comment recently[1] that browser extensions should be required to be source-available, and the chrome store should take a role in verifying the bundle matches the build process defined with the source code.
It's alarming to me that this is not already the state of things, but as it is it perverts incentives for extension developers to a horrific degree.
[1]: https://news.ycombinator.com/item?id=34892991