If you're only considering what is technically possible or what is allowed by an extension's content security policy (CSP), this may seem like a reversal, but from the start of the Manifest V3 effort we've approached limiting an extension's ability to execute remote code through a combination of extension platform changes and Chrome Web Store policy changes.
On the policy side, we added
Additional requirements for Manifest V3 to the Developer Program Policies in early 2022. This change requires that Manifest V3 extensions include all of the code they execute in the extension's bundle. While this policy defines what we allow on the Chrome Web Store, it doesn't directly help steer developers in the right direction; that's where platform changes come in.
On the technical side, one of the changes we pursued to prevent extensions from executing untrusted code is a limitation on what CSP directives and values extensions can set. For example, we can prevent extensions from calling eval() in extension contexts by not allowing extensions to use unsafe-eval in script-src. The problem here, though, is that over the past few years the way CSP and Wasm interact has been a bit of a moving target.
Historically, unsafe-eval was also used to control Wasm execution in browsers. In order to expose Wasm to Chrome extensions and apps, Chrome implemented the non-standard value "wasm-eval". Later, as the Wasm Working Group began to align on the introduction of "wasm-unsafe-eval" Chrome added support for that value. At the time we (extensions folks) thought that wasm-unsafe-eval was meant to be the Wasm equivalent of unsafe-eval and so didn't expose it to extensions. We were anticipating the introduction of another value or new directive that would allow us to restrict Wasm execution to sources loaded form the extension's origin, but unfortunately, that kind of control via CSP is still an
unsolved problem. This created a situation where Manifest V2 extensions could use bundled Wasm but Manifest V3 extensions could not. Ultimately we decided it was best to allow extensions to set wasm-unsafe-eval and to adopt new CSP directives/values when they are introduced.