I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
MV3 makes it considerably harder to introduce a security vulnerability, but it doesn’t really help with outright malicious extensions. In the end this isn’t an issue which can be solved by technical means. It’s a moderation issue, and Google currently seems to be scaling back moderation despite not being great at it to start with.
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
[1] https://developer.chrome.com/docs/webstore/program-policies/...
[2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...
[3] https://developer.chrome.com/docs/webstore/program-policies/...