But what's your argument? That phone-based extensions are more vulnerable somehow than desktop extensions?

If anything, wouldn't a phone extension be more sandboxed than most desktop environments?