Great suggestions. The "third party buys popular extension and quietly adds malware" approach is also a huge attack vector. There really ought to be some way to prevent an extension from updating until you've had a chance to review and approve that change, especially if it requests a lot of sensitive permissions.
Well, even today, if the attacker modifies the permissions it will require a re-acknowledgement. Google can also do things there, like if the extension is tied to a key (as it should be), tell developers that they are required to not provide that key to anyone else, even if they sell / transfer ownership of the extension. Instead, the new owner should register a new key, which can trigger review/ scrutiny.
Key + 2FA means the attacker has to have code execution on a developer's machine in order to publish an update (via the local session token, which you should make short lived). And Google could require a FIDO2 token if you want to bypass the "alert users that this thing uses lots of permissions".
There's a lot of stuff I'd be working on to avoid having to remove developer power.
edit: K I've been rate limited by HN so I can no longer reply for today, but them's my thoughts.
