de0u That is true, however, in both instances listed the problem is not the extension protocol itself but rather the user, sitting behind the keyboard. To quote the second article:
The extensions offer all sorts of capabilities: emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers
I would never install any of the extensions listed, nor have I ever used the chrome extension store in the first place (that being where said malware is largely propagated). Saying extensions are insecure is the same as saying sideloaded apks are insecure because they may contain cves or display over banking apps to steal credentials. After all it is the responsibility of the user to trust what they are installing is secure.
If graphene devs do not want to display extension functionality to their userbase because non-power users may install an emoji keyboard that steals passwords, I completely understand; infact I believe that is the correct approach for the vast majority. However I believe hiding the functionality behind a flag for power users would be the best way to integrate extensions, otherwise that large proponent of the userbase will likely gravitate toward firefox which has even worse sandboxing.