I personally do not see the point of considering this specific issue particularly severe because the Chrome Web Store already allows extensions to execute remote code in extension context simply by declaring `unsafe-eval` or `unsafe-inline` (or specific remote hosts) -- and one can find such extensions quite easily.
If the Chrome Web Store had a policy of "no remote code execution in extension context under any circumstance", then the issue would definitely have been high severity.
* * *
The result back then was that the reported behavior is in accordance with the CSP spec, so the issue was closed.
Maybe Chrome should change their default CSP for extensions that haven't declared one though to disallow blob: URLs.
This is worsened by the fact that the Play Store has near-zero security controls and no review so it's easy for malicious code to sneak into basically any high-install-count extension, especially if (as many extensions do) it requested lots of permissions it doesn't need.
In the end an extension like Greasemonkey is implicitly unsafe because it's designed to run third-party content. You can't really fix that at an extension store/distribution platform level - so you put that dangerous footgun behind a permission and make sure users know what they're in for when installing it. I'm not sure what else you could really do since greasemonkey scripts rely on the ability to muck with page content.
Edit: with chrome extensions, I can inject a script tag from any domain to any page. I used that to inject a lib from CDN JS, but recognized it's silly and imported the package instead.
But I suspect it's related to this: