An extension user could theoretically be willing to pay for the value the extension provides them. The malicious actors sending these emails are willing to pay for the value that a user's data provides them. These two numbers are not related in any way, and the value of user data will often be much higher than the value of the extension's functionality.

There is no way for monetization to solve this, because the two potential customers are not purchasing the same product.