I'm not talking about Google's Manifest v3 or anything recent. I'm talking about Firefox 57 (~2018) and onward when they abandoned XUL and all the extensions/add-ons had to be re-written as chrome-style web extensions. Unfortunately many of the most complex extensions could not and lost features at best.
It's amazing that Sea Monkey, Palemoon, and all the other forks which support XUL have managed to do so securely with incomparibly smaller teams. Multiple proofs of the falsehood of your claims already exist.
Mozilla got rid of XUL because it wouldn't work with the multi-process model of Chrome they were copying in order to speed up the browser for running complex javascript applications. The security justifications were nonsense. The real security problems are in supporting all the new attack surfaces that modern browsers do in the form of exposing bare metal (or just above) functionality for acting as an OS (webgl, websockets, etc) instead of a browser.
