The point is(just gave a couple of examples for issues in the past related to web based PM's) that extensions have tremendous attack surface and lots of complicated little things you have get perfectly right.
kbuck made it seem like there's just a single issue here that can be avoided. that's not true.
Program binary delivery CDN compromise is completely orthogonal to whether the password manager is "web based". Upon some cursory research, the compromised Passwordstate thing is an on-prem enterprise solution, the upgrade package compromised looks like an asp.net application meant to be placed on a server. I guess you can call it compromise of a web-based password manager... But you can compromise native programs the exact same way if you get ahold of the update CDN. Using it as an example is weird.
I see, definitely valid criticism. Cannot edit my comment now.
My point wasn't the specific incident that was linked but more about the fact that updates are a threat for extensions as they update automatically without user input
kbuck made it seem like there's just a single issue here that can be avoided. that's not true.