I mean I don't think some sort of "access control" within the editor is going to really address this. People edit sensitive text in their code editor and no matter what that is going to be available to most useful extensions. Even if you don't lose a credential or get some arbitrary script running to mine crypto on your machine you could have an extension function as a key logger and exfil code you really think is valuable.

its easy to complain, words are cheap. fork it and change it if you don't like it