> I trust extensions running on all websites less than I trust a mitm proxy, because the mitm proxy doesn't have the ability to run code in the browser process itself.

No, but it is absolutely able to inject code which will then be run in the browser.