The idea here isn’t that you could install a nefarious extension; proposed is a malicious thought that a developer could gain the trust of a large user base, before updating the extension with bad code. Because Safari automatically updates, imagine the potential for wrong doing: nobody is watching.

Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.

Thus, the mythical A Decidedly Un-Evil Extension, which could provide the definition of any word you double-clicked on, could seem noble and safe. After a few months of swelling popularity, the extension’s nefarious creator could update the extension with <iframe> evilness, and start gathering personal information about you, from the webpages you visit. Unless you regularly check your Safari Extensions’ versions number, you might never even know that the extension had been updated, and therefore never even suspect any change had occurred.

The example used by Lex Friedmen involves an extension that creates an <iframe> in the browser, and how he could use it to reveal your IP Address. With evil intent, a bomb could be planted that wouldn’t be as forgiving. The entire read is worth checking out at Lex, Briefly.