One point from the Cyberhaven incident was that extension was controlled remotely by attacker configuration. MV3 removed the ability to run remote scripts. Extensions are required to have their code defined in the package now, but the configurations can still be dynamic.