Browser extensions, if we use the analogy as apps running within browser as an OS, are lacking simple capacities to manage the risks. Just like any app a user can install on their devices, extensions extend the attack surface. As we cannot avoid the risk by removing all of them, we can just allow users to have more control on them regardless of the browser they use. I suggested[0] using standard management APIs provided by browsers, therefore the ecosystem can use them as building blocks for FOSS and/or commercial tools. That's a very naïve idea but why not?
0. https://zaferbalkan.com/2023/10/03/browser-extension-api.htm...