This type of software is bundled into system executables as well - just like the "free antivirus and browser toolbars" of yesterday, these are the new bundled software.

If a company has an "internal network" (lol) that consists of security that can be described as Swiss cheese, then this stuff is a massive gap there.

Its not a secret in the industry, but I bet money that most of your users have no idea this is happening. They almost certainly wouldn't install those web extensions if this information was widely known.

As a rule of thumb, if you need to do something in secret to get away with it, its probably not ethical.

But, in the same vein as your comment, I have long wished for Common Crawl to really lean into their mission, and not just publish monthly snaps of whatever their bots can see but do what you said and accept .har or .warc files from anyone and serve the ... hourly? ... .warc via Bittorrent

1. If one wished to use .xpi/.crx (akin to F-Droid's install pathway) then the user would have to teach the browser to trust the signature of them. F-Droid doesn't suffer from this because each .apk is self-trusting, meaning it is signed, and that signature conveys lineage (v1.0 is owned by the same publisher as v1.1, so safe to upgrade), but the operating system doesn't have to be informed about any chain of custody for the .apk cert

2. I am not aware of any self-hosting extension registry, even from Mozilla, and extra lol for Chromium. If such a thing existed, the browser would have to allow the user to add "trusted extension registries" (along with their trusted CA chain). It would actually be snazzy if they went the Helm/Homebrew route and just leveraged OCI distribution (aka docker registry) for that, since it would open up almost unlimited self-hosting options, including publishing right from GitHub Actions to ghcr.io