[tyingq]

I like that idea, but it would be hard to pull off. The extension API, for example, allows for messaging between background scripts and content scripts. So you could make a proxy of sorts. And messaging is not the only hole you can poke. They would essentially have to redesign the whole extension API. To the point where no interesting extensions would be possible.

[amluto]

Surely there could be a content blocker script that simply can’t send messages anywhere. It gets access to web requests and to IndexedDB or something similar. It can receive messages from other extension scripts for updates, perhaps.

[on_and_off]

that's the big issue with extensions : most of those that are interesting (to me at least) are also huge privacy holes.