[nikcub]

Browser extensions are cryptographically signed and verified, while web application javascript is not.

The problem isn't with javascript, it is with delivering javascript in a web-based application (amongst other concerns).

Most of the other concerns about web delivered javascript also don't apply to extension security. Example: a web application can't interfere with the execution of extension code since extensions reside within their own context and cross-origin rules apply (there are special API's accessibly only from the extension to call into the web javascript).

End-to-end from Google is a browser extension, and it is signed by the developers and then verified on install. It is more secure than a traditional desktop software installation.