[userbinator]

and of course I'm still trusting the extension's code quite a bit, but at least I don't have to worry about it changing

You only need to examine and trust it once.

[varenc]

It's true, but for large extensions that make use of bundled 3rd party libraries, it's hard to examine the code to determine with very high confidence there's nothing malicious in it. I also tend to watch a new extension's network traffic, but of course it's not foolproof either.

[thenickdude]

I delete the third party libraries and replace them with my own clean checkouts.