Given that 90% of normal people use browsers that don't have this restriction, I don't think Mozilla's threat model makes sense. Also, users who are susceptible to being tricked into installing an addon can just as easily be tricked into going to bank.com.h4xx0r.ru, editing hosts file, changing DNS settings, or even installing chrome or a different browser.

Franky, I don't think this move is motivated by security concerns at all. (Not that it matters anymore)