How safe are even signing extensions really?  Would you trust an extension to guard a bitcoin key of any value, for example?... or is this in the context reasonable safety is on a spectrum?