There almost certainly is not a way to invisibly install add-ons, unless you are part of Mozilla, and, you know, making Firefox. If paranoia is your thing, it might be worth considering that Mozilla can do anything it wants inside Firefox core, all of it is "invisible" to you.
And this is the point where even the most Mozilla-supporting users move away. For me, this is it, I’m going to Chromium.
Fuck this shit, in the past months we had CliqZ https://news.ycombinator.com/item?id=15421708, we had Mozilla adding new telemetry, we had Mozilla force-enable toolkit.telemetry.enabled, we had Mozilla say that, if you download Nightly, that is considered opt-in to tracking, we had Mozilla put Google Analytics into the Addons menu (because it’s loaded from addons.mozilla.org: https://github.com/mozilla/addons-frontend/issues/2785 ), and we had Mozilla say that, if we don’t trust Google, we shouldn’t use Firefox.
Regarding telemetry, take a look at the settings in about:config. There are several toolkit.telemetry.Ping settings which are set to true by default. In the spirit of charity I'm going to assume that those phone home pings - on startup, shutdown, update - are not enabled unless telemetry is enabled. But I have not checked...
Disabled Encrypted Media Extensions (EME)
Disabled Web Runtime (deprecated as of 2015)
Removed Pocket
Removed Telemetry
Removed data collection
Removed startup profiling
Allow running of all 64-Bit NPAPI plugins
Allow running of unsigned extensions
Removal of Sponsored Tiles on New Tab Page
Addition of Duplicate Tab option
Locale selector in about:preferences > General
I hate the fact that Firefox increasingly makes me jump through all sorts of hoops to find all the hidden options to turn off their various spyware attempts. Its the Win10 of browsers...
Yeah, its so intuitive for the average person to type: about:config in address bar and scroll through hundreds of oddly named parameters to turn off spyware.
Comments like yours are illustrative of a certain mindset. When you encounter the complexity of domains you are not intimately familiar with (court system, law, finance, etc), and those complexities are designed specifically to make it hard for you to protect yourself, I'm sure you are just as understanding as you are now.
How exactly? Whether they push out code to you by just changing the binary or by installing an extension makes no difference. In fact, pushing it out as an extension, means they actually have less control over your browser, because are bound to the restrictions that extensions have.
Every browser vendor has this control over you when you use their browser. Some have even more, because they don't even need to tell you about it when they're closed-source.