If you can trick someone into installing a malicious extension with arbitrary permissions, you can already run arbitrary code on every webpage they visit, including their logged in bank, social media, etc.
You think an attacker is right now thinking "Man, I know exactly how to make a lot of victims install an extension, but I can only steal their coinbase wallet and bank accounts, if only there was a way I could run calc.exe on their machine too..." who's going to pay more than $20k to upgrade from "steal all their money" to "steal all their money and run calc.exe"?