[always_good]

Are you going to notice and reinspect every invisible OTA update?

It's a perfectly valid concern when you install a plugin. We just don't care because most people are trustworthy.

But for example there's a market for selling your browser addon to someone that wants to do this.

[RIMR]

You're basically arguing that open source isn't really open because you don't have the time to inspect every commit...

If you build this from source, you'll have proof of any malice by the developer.

[zulln]

This of course assumed you installed it directly from Github as that is the code you reviewed. Otherwise, yes, that is a valid concern.