Ultimately it's a trust tradeoff. Extensions should only be installed from incredibly trusted "I'd give this entity my passwords and my bank info for safekeeping" level trust. Because that's essentially the access a lot of browser extensions have.

The easiest way to protect your browser from exploits is to disable or whitelist extensions. At the office we block all but a small handful of extensions we've vetted, and we're very hesitant to add more without very good cause. Do this at home too.

Even for extensions you trust, if their domain expires, it can be minutes later that it is pushing an update.

Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.

edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.

So VSCode, IntelliJ, etc can be used to inject code into the client as well.

Chrome extensions should be signed and should prevent updates of extensions if the new version was signed by a different from the one signed the current one until the user manually approves it.

The problem is malicious actors will only buy the extension conditional on the author handing over the signing key as well.

Most users will click straight through the approval though, like when they granted it full permissions at install.

And is the signing actually effective anyway? There's very little mention of it online, and as far as I can see it isn't covered in the official guide for publishing extensions.

Is it even possible to have proper signing keys stored locally or air-gapped?

No, just straight up refuse unless the new signing key got approved by the old one. Hard-block. Why shouldn't it?

To be honest that problem exists for essentially any software that auto-updates.

You just have to hope that the built-in integrity checking (if any) works and is effective.

That's why I like software distribution methodologies that rely purely on signing to verify authenticity, rather than simply the location that it was downloaded from. I can technically use any old dodgy Apt mirror that I want, as long as I only accept packages signed by trusted keys.

As a side note, it's shocking how many software providers say that their downloads are 'integrity checked' just because they're served over HTTPS.

Adblockers are still useful to block annoying scripts and softpaywalls.

Yes I know no-script exists but it breaks many if not most websites and after a few weeks of managing exceptions most users would disable it and heck few weeks is likely generous most uses would disable it after a few hours if not minutes.