I mistakenly installed a Minecraft modloader for my son without checking it out first. It silently installed a couple of local Chrome extensions that injected ads in every page. It would reinstall them (again, silently) every time you deleted them. It wasn't detected by Microsoft Defender or Avast until I ran Malwarebytes which took care of the problem.
So, pardon my french, but no freaking way do I want any local Chrome extensions allowed by default anymore.
For extensions from the Chrome store, perhaps Chrome should make updates more like on Android, where you are notified and can click for more info.
If you are running arbitrary code on your box, then local installed Chrome extensions aren't the real problem now, are they?
That code could, I dunno, run a local HTTP/S proxy (install a trusted cert) and MiTM your HTTP requests and inject ads that way. Or about a million other things.
And it's funny Chrome is trying to prevent apps from doing that, when they themselves do the same thing: In Windows, pinning to the taskbar is supposed to be user-only. But Chrome circumvents that and pins anyways, actively avoiding user preference. (And they drop an icon on the desktop, without asking.)
So, pardon my french, but no freaking way do I want any local Chrome extensions allowed by default anymore.
For extensions from the Chrome store, perhaps Chrome should make updates more like on Android, where you are notified and can click for more info.