You can write malicious MV3 extensions. The changes' stated reason was performance, not security.