I would argue that building in extension-like features inside the browser is worse. In both cases, that's extra code, with security implications, but in case of extensions, you can choose not to have it.

Now, that's a question of whether you trust those who write the browser more than those who write the extension.

And by the way, the argument you have is the same that justifies the much hated "manifestV3", which makes extensions less powerful for security reasons. But it also limits the blocking capabilities of browsers to a simple, less effective blacklist. That Firefox still supports the old "insecure" way is a big selling point over Chrome.