Yeah, that matches up with what I've seen. They've at least been decent enough not to kick people off the store, but I don't think it's possible to just have them sign / publish something unlisted these days without a good deal of policy writing and justifications.
Yet the large actors still publish malicious updates to extensions. ¯\_(ツ)_/¯
They have this "private" feature now where you have to list the email addresses of people that are allowed to use the extension. I don't see why that couldn't be coupled with "no review required", so long as the list is relatively short. But, yeah, likely will never happen.
Fortunately for me, I can re-do my extension to use the JS postMessage api which won't require hardly any permissions, and thus, not much to review.
Yet the large actors still publish malicious updates to extensions. ¯\_(ツ)_/¯