Extensions are the primary threat to your security today. Nothing else comes close. Organizations are not basically competent if they are not restricting or blocking extensions, and you should not have more than one to three very trusted extensions in your browser. I'd argue the case for eliminating them in favor of in house code is significant.
As a reminder: Extensions execute with post-decryption access to the websites you view, and they update to new code silently and without asking for permission. HTTPS might as well not bother existing if you have extensions you do not have incredible trust in.
I would argue that building in extension-like features inside the browser is worse. In both cases, that's extra code, with security implications, but in case of extensions, you can choose not to have it.
Now, that's a question of whether you trust those who write the browser more than those who write the extension.
And by the way, the argument you have is the same that justifies the much hated "manifestV3", which makes extensions less powerful for security reasons. But it also limits the blocking capabilities of browsers to a simple, less effective blacklist. That Firefox still supports the old "insecure" way is a big selling point over Chrome.
We obviously know Chrome team is not doing things for security reasons, they are doing things for ad revenue reasons. But it's also true that blocking ads requires an insane amount of trust: The uBlock Origin author can choose to read your bank account numbers and passwords. (Although he is high profile enough this would be caught quite quickly.)
Arguably the problem is that Manifest V3 proposed removing an ad blocking capability without replacement, whereas I would argue just as popup blocking was a couple decades ago, it belongs as a first class browser feature, not outsourcing extremely sensitive capabilities to random outside parties. Browsers should not be operated by (or funded by.........) ad networks, and should built high quality, secure tools to filter unwanted content from their users.