Grab the source code, review it for AJAX or DOM manipulations and install it via Developer mode? Also, set reminders to review diffs and update it as new releases occur...
WebExtensions like Neat URL continue to work even if you don't update it. You only have to inspect the extension code once (no developer mode needed) if you are skeptical, and you don't have to update it if you don't want to.
The paranoid in me says there’s no point in installing the web store version unless you download and inspect /it/. The source code published isn’t necessarily the version distributed, though obviously injecting code in the CI pipeline would be... excessive. This goes back to the trusting trust problem. https://www.schneier.com/blog/archives/2006/01/countering_tr... If someone managed to skip an exploit into a release of webpack, well, there goes the Internet ;-)