[panzi]

On one hand yes, sandbox everything. On the other the extensions still can change your code which you then run. Though you might only run it in a container at first.

I heared zed sandboxes extensions. I should have a look at that editor some day.

[HighGoldstein]

Sandboxing doesn't necessarily mean isolating the extension from all potentially dangerous functions, you can have a permission system so that for example a color theme extension can't modify files.

[insanitybit]

Not every extension needs the ability to change your code, let alone change it without user interaction - similar to how iframe sandboxing can allow top level page navigations with user consent.

Also, modifying my code is far better than just launching, stealing everything silently, and having full control over my system. Needing to inject some sort of malware into an arbitrary project is way better.