It's handy for situations where you have inexperienced people needing to flash microcontrollers. Meshtastic is a great example, it's meant for a wide variety of users from people that can actually write code to people that have only maybe heard of a raspberry pi in passing. You buy a transceiver on Amazon, go to the meshtastic website, plug in the transceiver, and hit "flash". Also, I don't want to have to download yet another custom Arduino IDE. I don't need to actually modify the running code, I just want the binary on the device so I can move on with playing with it.
I'm aware it's handy. Lots of handy things have been used to distribute malware. Now we just need someone to intercept ESPHOME's flasher so that it sends a modified payload
I don't believe this is a good solution: users will obviously click on that add-on install dialog box without being better informed and protected against malicious / buggy / attacker controlled web sites.
Hopefully they will move to a better solution that offers some integrity guarantees instead, like https://rwc26.waict.dev/ that they have an early implementation of in nightly builds.
I don't mean enabling them in `about:config`. The actual pages you visit must request access these features from the user, including selecting which device(s) it is allowed to access. So even if Firefox enabled all of these APIs by default nothing will be able to access your devices without your permission.