If you are running arbitrary code on your box, then local installed Chrome extensions aren't the real problem now, are they?
That code could, I dunno, run a local HTTP/S proxy (install a trusted cert) and MiTM your HTTP requests and inject ads that way. Or about a million other things.
And it's funny Chrome is trying to prevent apps from doing that, when they themselves do the same thing: In Windows, pinning to the taskbar is supposed to be user-only. But Chrome circumvents that and pins anyways, actively avoiding user preference. (And they drop an icon on the desktop, without asking.)
That code could, I dunno, run a local HTTP/S proxy (install a trusted cert) and MiTM your HTTP requests and inject ads that way. Or about a million other things.
And it's funny Chrome is trying to prevent apps from doing that, when they themselves do the same thing: In Windows, pinning to the taskbar is supposed to be user-only. But Chrome circumvents that and pins anyways, actively avoiding user preference. (And they drop an icon on the desktop, without asking.)