On one hand yes those are malicious extensions. On the other Google policy states any code not originating from Google server is remote code, even code on my own hard drive. Its my computer and I should have ultimate choice. No amount of headers send by the server should be able to override My User Agent behavior against my will.<p>Its hard to easily reconcile those two points of view, but solution other than Google has the final say has to be found. If I wanted a nanny I would be using Apple products.
Android apps can anytime do remote code execution. GrapheneOS even offers controls to restrict Dynamic Code Loading per app. But Google somehow cares only about RCE in browser extensions?