@lcamtuf For a really long time this was true of _all_ browser extensions, until Chrome Manifest V2 in 2012 (similar functionality in 2016 in Firefox.) Prior to this it was possible for even a page to exploit flaws in extension JavaScript, and for a malicious extension to steal all your data. Manifest V2 and WebExtensions locked down extension security.

Following Manifest V2 and WebExtensions API, it wasn't really possible to do this, so from a practical perspective you could have started adblocking in August 2016 in Firefox or Chrome. The only other relevant thing I can think of is that in 2019(!) Google and Mozilla finally equired extension authors to have two-factor to publish extensions.

So yeah it is still a security tradeoff but it's not so bad for a while now.