Linux users who install their apps via a package manager (other than, iiuc, AUR) have at least the vetting of a third party. And this is why a lot of work goes into reproduceable builds and minimal bootstraps.
Apps provided on any platform by major, trusted vendors are much more likely to be safe. Apple/Microsoft/Adobe might find themselves compelled to add a government backdoor, but they're probably not going to chuck in code to send your credit card number to the darkweb.
As for install random programs from unknown vendors on the Google Play Store, yeah, I'm a bit nervous about that. It would be nice if we could manage trust on such platforms in some way, but all we can do is hope to be on guard at all times. Google clearly doesn't care if you get hacked by a third party, as long as they don't do it directly.
Web browsers do a lot of sandboxing to prevent outside tampering by other applications. Your secured content is encrypted by HTTPS between the server and your browser... but extensions sit inside the browser sandbox, often with full access to your decrypted web traffic.
If most of your secure information is handled via web browsers, as is usually the case today, extensions are drastically more risky than arbitrary software, because of the privileged place in the stack they operate.
not the person you are replying to, but for me, it applies the same. I only have uBlock Origin and password manager for extensions, and my phone has very few apps. I don't trust other devs to not succumb to temptation, so I don't use their apps. It would not be difficult for me to give up the smart phone for a feature phone.
Apps provided on any platform by major, trusted vendors are much more likely to be safe. Apple/Microsoft/Adobe might find themselves compelled to add a government backdoor, but they're probably not going to chuck in code to send your credit card number to the darkweb.
As for install random programs from unknown vendors on the Google Play Store, yeah, I'm a bit nervous about that. It would be nice if we could manage trust on such platforms in some way, but all we can do is hope to be on guard at all times. Google clearly doesn't care if you get hacked by a third party, as long as they don't do it directly.