Constrained list of functions.
This could go a long way towards opening up the web to more extensions but also keeping it more secure.
I recently did a rev to the Polar chrome extension:
and I had to request a new permission for filtering and they're now taking a WEEK to approve my any updates due to code review.
I really only need to evaluate a URL and add headers.
This doesn't need to be turing complete.
I basically just need to take a HTTP response and headers if they're missing when a specific origin is set.
And what does Turing completeness has to do with security anyway?