There was already an established solution for running untrusted code - the WebAssembly engine sandbox. Data can't be exfiltrated if imported functions are forbidden, which would be very easy to verify via static analysis of the WASM module. All of this hullabaloo about Manifest v3 could have been avoided if the Chrome team did the sane thing and exposed an API for using a WebAssembly module for filtering.