> Does this mean every company is one bad extension install away from having its entire codebase stolen or worse?

Yes.

> I naively assumed the extensions were 'sandboxed' to some degree.

No. This is fairly obvious if you have used more than a few extensions - often they'll ask you to download and install binaries.