They have those evil metrics about what users are doing.
If 1% of users are getting exposed to malicious software by a feature and 0.0001% of users are using it, it's a little more clear than you say. I've made both of those numbers up, but I think it's likely enough that very few end users are depending on the ability of other software to silently inject plugins.
With the caveat that power users are probably the ones to have turned off metrics. Mozilla is probably aware of it, but it's still hard to compensate for that.
If 1% of users are getting exposed to malicious software by a feature and 0.0001% of users are using it, it's a little more clear than you say. I've made both of those numbers up, but I think it's likely enough that very few end users are depending on the ability of other software to silently inject plugins.