Android apps can anytime do remote code execution. GrapheneOS even offers controls to restrict Dynamic Code Loading per app. But Google somehow cares only about RCE in browser extensions?
Apples and oranges. Android is supposed to isolate apps from each other (yes, theory). So a malicious app should only be able to steal data the user provides it with.
On the other hand, a single malicious extension will compromise the entire browser. Nothing you do on any website is any longer safe.
Not that I don’t think that Google should pay more attention to the apps in the Play Store. But allowing extensions to hide their functionality with remote code is plain negligent.
