If the malicious software can adjust protected user settings, can't it also just inject into the Firefox process directly?

If there's a privilege level that allows for one but not the other, that sounds like something Mozilla should fix.

Fortunately, it is no longer necessary to run malicious software on user computers. With latest "advancements" in Firefox security everyone can publish malware directly in Firefox addon center [1]. No review needed!

"We accidentally uploaded all your HTTP requests to our servers, but we will definitely fix that in next addon version!~"

[1]: https://arstechnica.com/?post_type=post&p=1340459