How does that make any sense? There's some set of permissions that's safe enough to approve, but too dangerous to tell you it's safe enough to approve?

I don't understand what you're talking about. If the scanner looks for extension with permissions for all your web browsing activity, so malware authors stop asking for permissions for all your browsing activity...isn't that great news?

I understand that's the reason they give. I just don't believe them. At some point you have to assume good faith. Maybe that point is when the item in question has over a million users and a good rating.

You're missing the fact that the reason is given by software not an actual person. Welcome to the world of social automation.

Couldn't malware authors start from the other direction? Create a no-op extension with no permissions and gradually add things until it's no longer approved.

No. This gets you banned.

Is that really true?

Only years later, as in the case of a certain Vietnamese hacking group that did exactly this starting at the end of 2015 and didn't have their apps yanked until Nov & Dec of 2019 and another batch located & yanked only last month, well after any and all damage was already done to those who used the apps.

Well, I meant for devs who are doing it innocently ;)

The fact that it took four years in your example implies that permission shaving isn't hugely risky for devs.

Malware authors can register a dozen or thousand throwaway accounts (probably not super easy but not hard either).

It's the honest developers that get their meaningful accounts banned.