I think this just comes down the sloppy programming. As a software engineer you will always have the opportunity to do something stupid or insecure, unless we force all our tools to nanny us. Frankly I suspect such tools would cause more problems then they are worth. That said I wouldn't scoff at a solution that makes this less likely without getting in your way. I think the key a lot of the time is rather than blaming thr tool, we should make sure we understand how the tool works.
> This command [`vsce package`] includes all files in the current directory
Why does it do this? Is it trying to include code or some other assets?
Is this normal outside of C/C++ (or similar) build systems? Tools like cmake, premake, scons, etc. tend to expect you to tell the tool what to do. e.g. which files you want to compile.
If you need some sort of "compilation" (e.g. TS->JS, Webpack), you need to run that before the packaging command yourself. A VSCode extension mostly consists of a single package.json file with a "main" field pointing to some .js file. As far as I understand, vsce does not parse or handle anything, it just checks some metadata and includes the entire folder. This is also why extensions often ship with several files that are not required at runtime.
As to why - since extensions can do anything they want including running bundled binaries, there is no way for the IDE to know which files may or may not be relevant. That doesn't justify going an include-by-default strategy though, an allow-list would be much better.
Is this normal in JS ecosystem? Not really I'd say. NPM packages for example have a "files" property where you specify what to include, and I feel like the general trend is towards a saner approach of modules and imports anyway.