4) Paraphrasing Hofstadter's law, 2) remains true even if you account for it, because of how APIs interact.
The example raised elsewhere in the thread is good: in a browser, if you have access to the current URL of any tab in context of which you run, you can start building browsing history. Whatever mitigations one could think of get defeated if the extension is allowed to make network requests, or modify content of web pages. Once an extension can communicate with outside world, it can exfil the data, even if piece by piece - and it can also keep its state outside of the browser.
The example raised elsewhere in the thread is good: in a browser, if you have access to the current URL of any tab in context of which you run, you can start building browsing history. Whatever mitigations one could think of get defeated if the extension is allowed to make network requests, or modify content of web pages. Once an extension can communicate with outside world, it can exfil the data, even if piece by piece - and it can also keep its state outside of the browser.
Same applies to mobile apps.