You do not have to police everything, copy what Mozilla is doing: pass the top X extensions through manual audits (including looking at code diffs on every update) and mark them as trusted. Maybe also add a giant warning "this extension may steal your stuff" when installing everything else.