Most extensions are single person projects run on GitHub. Imagine if their Gmail account, or phone SIM gets breached and backdoored version reaches Extension Store.
Plus several extensions were just sold to highest bidder!
Sure, but it does not address the question I have placed for you. Can you name the extension you consider shady? A lot of projects on github are one man operations.
Ublock Origin installed from Firefox Extension Web Store. I have no idea how this was verified and distributed. I do not trust webstore as a channel. Also user may easily click on "Unblock" or "Unlock" and get something completely different.
If this extension came from my Linux distro package, or bundled into Firefox binary, I would trust it.
With Brave I have no need to use extensions. Everything is bundled and can be enabled via about:flags.