[sillysaurus3]

A hypothetical extension-less mode isn't a bad idea. Unfortunately, it doesn't exist.

An XSS attack in an unrelated part of the webpage can escalate. If someone hijacks the session key of an admin, they get access to the admin panel. That access may or may not let them further escalate their privileges. If they manage to break into the box that serves the JS for the key generation page, then they can alter the JS however they want, including so subtly that no one will notice it's broken. Think this is unlikely? Privilege escalation attacks like this happen all the time. Again, the potential payout for a successful heist is in the range of millions, and due to bitcoin mixers, they're less likely to be caught.

Also, I bet at least one person reading this has the "Cloud To Butt" extension installed. It's not only untrained users who install that sort of thing.