Extensions are the primary threat to your security today. Nothing else comes close. Organizations are not basically competent if they are not restricting or blocking extensions, and you should not have more than one to three very trusted extensions in your browser. I'd argue the case for eliminating them in favor of in house code is significant.

As a reminder: Extensions execute with post-decryption access to the websites you view, and they update to new code silently and without asking for permission. HTTPS might as well not bother existing if you have extensions you do not have incredible trust in.

I would argue that building in extension-like features inside the browser is worse. In both cases, that's extra code, with security implications, but in case of extensions, you can choose not to have it.

Now, that's a question of whether you trust those who write the browser more than those who write the extension.

And by the way, the argument you have is the same that justifies the much hated "manifestV3", which makes extensions less powerful for security reasons. But it also limits the blocking capabilities of browsers to a simple, less effective blacklist. That Firefox still supports the old "insecure" way is a big selling point over Chrome.