In this case the centralized owner is the Chrome Web Store; you're leasing space in their list of offerings at their terms, for better or worse. It's worth noting that the Chrome Web Store is just an easy (and highly visible, of course) way of installing extensions but not the only one; developer mode and self-installing is totally possible (though admittedly higher friction).

Protecting users from malicious actors serves in the best interests of the Chrome Web Store, certainly, but there's nothing stopping users from running their own security software.

In a more ideal world a developer would distribute an extension from their own platform and the user would run a security check against it (and all future versions). Until we get to that world, though, a store that is focused on integrity of security and expresses its right to remove things that don't fit it's model is convenient.

Self installation is disabled on Windows. And Developer Mode pops up constant nag warnings, to users asking if they want to disable the plugin.

Maybe something along the lines of having Firefox/Chrome/etc allowing people to specfiy "extra" extension/addon repos to query?

That'd let external places create collections of extensions/addon's, which would probably open things up enough.

Firefox still allows installation from third party websites, they merely require add-ons to be signed by AMO. This allows Mozilla to revoke a signature for malicious add-ons, not sure how often this happens in practice.

Isn't signing supposed to solve some of that? You sign the binaries you host on your site, and the OS checks to make sure the signature is valid. (Maybe against a non-profit "Let's Sign".) If it's a valid signature, then you know it was signed by someone your OS trusts. Ideally, the OS would not trust signatures from malicious actors.

I've never been involved with that kind of thing, so I'm just guessing. Feel free to correct me.

There have been cases where malware authors were able to change package contents while keeping the signature.

What kind of package? That probably means the signing is way too complicated. There's not much to get wrong in doing a single hash of an entire zip package and then appending a simple signature of that hash.

And in the end the malicious actors are the centralized hosts. Even if they don't start that was centralization leads to perverse incentives for censorship.

Quite remarkably, they are only moderately successful in keeping malicious actors out of Chrome Web Store. Centralizing deployment won't give you that automatically, you also need the manpower to enforce policies. And Google isn't even acting when extensions are flagged.

well the solution is sandboxed temporary runtime environment with user controlled session duration, user managed permissions and strong profile siloes, also known as: your browser.

How would browser extensions fit into this model?

They aren’t application they extend the environment on which the untrusted application run, as such they’re more like kernel modules in regard of security and threat modelling