Being a popular open-source project is not a guarantee, it merely lowers the chances and complicates the attack.
Regarding extensions code: indeed, I do read the code of extensions that require some elevated permissions, if these extensions are not otherwise vetted. This is why I avoid installing excessively complicated extensions, unless they ask for minor permissions. Having the list of tabs if no big deal; accessing data in your tabs, even for a particular site, triggers scrutiny.
> Being a popular open-source project is not a guarantee, it merely lowers the chances and complicates the attack.
It also makes it easier to deal with it after the fact. You can fork an open source project the minute it's detected that it's doing something it shouldn't. When closed source software goes bad you can't pick right up from the last known good version and move on, you have to find a product that entirely replaces what you had and hope that it does everything you need at least as well which isn't always likely since you were presumably using the other software because it was better than existing alternatives.
Sounds like we agree then that extensions are not any different from other apps in this respect and that you should always review the source code if you are installing software that needs to be given great power.
Regarding extensions code: indeed, I do read the code of extensions that require some elevated permissions, if these extensions are not otherwise vetted. This is why I avoid installing excessively complicated extensions, unless they ask for minor permissions. Having the list of tabs if no big deal; accessing data in your tabs, even for a particular site, triggers scrutiny.