I should hope the service does not use the browser to configure itself. It should directly contact mozilla servers including verifying some kind of encryption signature.

So if anything it could mitigate a compromised browser by overwriting it with a good one.

the service could verify that the browser is constantly in a safe state monitoring file changes, SHAs, etc

The service wouldn't give the browser elevated privileges. If you're worried about an update being compromised, then don't, since they're delivered over SSL and (I believe) are also signed separately.