Configuration and add-ons reside in %AppData%, or an orherwise user-writable profile directory. Compromising the executable, which lives under %ProgramFiles%, or an otherwise protected directory, takes administrator rights.
Beyond this plausible inconvenience, however, Mozilla simply doesn't want regular users messing with unapproved add-ons. Just switch Firefox to Developer Edition for that. It's been very stable, in my experience.
The Firefox profile directory also contains sensitive things like its file cache and trusted CA database, so you don't need to plant a malicious extension to achieve significant impact when you only have write access.
Then why wont they allow users to install their unsigned addons in %ProgramFiles%? I don't think protecting against a compromised %AppData% was their only goal.
Beyond this plausible inconvenience, however, Mozilla simply doesn't want regular users messing with unapproved add-ons. Just switch Firefox to Developer Edition for that. It's been very stable, in my experience.