Right, like getting access to the DOM was ever a hard thing to do. I was specifically referring to web apps in that point, but because you insist, I'll just reference [1].
Another vector to get rogue JS into a user's browser is cache-poisoning, something the article also brings up.
Cache poisoning won't work if an extension loads all of its code from its own bundle. So I fail to see how this applies to an app that is fully self-contained within an extension (extensions themselves are signed, so it's not like you could MitM the extension bundle itself...)
Sure, you can set up your app to stupidly do evals everywhere, but you can program a bad app in any language.
> XSS isn't the only way either
That's very, very vague. I asked what the attack vectors are. Saying "others" doesn't really work for me.