That just seems like a lazy capitalism models. We had both 10 years ago without crazy tracking and accept all cookies why do we have for the worst lowest common denominator ?

I agree; the web ecosystem is enshittified garbage.

However, I'm just suggesting a modest improvement to browser extension security (that doesn't completely break ad blockers like Chrome's approach).

In practice, I run an ad blocker, and just trust that it won't exfiltrate bank passwords and stuff. Imagine the blast radius for a successful and undetected UBlock Origin supply chain attack!

My "pick one" approach (ad blockers would pick the middle option) would mean that comparable supply chain attacks would also need to include a sandbox zero day in the web browser.