Users don't read dialogs. They just click yes so they can get to their shiny talking purple gorilla. This also doesn't address the threat model: a good extensions that users trust and give these rights to which is bought out and changed to do malicious things.
Not all do, some do. And it only takes a few to spot something fishy and start reporting problems.
> This also doesn't address the threat model
It actually does, because few extensions need broad permissions. The threat is significantly reduced if a change in required permissions goes up a new dialog pops up which encourages the few users that read the thing to ask "Hey, why is this asking for so many more permissions?"
This model works. It works so well that the security model of pretty much every app store is exactly the same. The risks are also identical.
