If a clever malicious extension can’t inject malware using non-blocking webRequest, I’ll eat my hat. For that matter, injecting malware using declarativeNetRequest doesn’t look particularly hard. I find it very hard to believe that the restriction on, specifically, blocking webRequest is genuinely motivated by security.
If Chrome really wanted a minimal change here to improve security, they might have restricted webRequest to only permit blocking the request but not modifying it.
If you prevent modifying completely, that would break large swatches of all extensions. I would imagine manifest will eventually move there, but moving straight to the end goal would have created a lot more outrage (rightly so).
Again, since you seem to have ignored the main point of GP and my reply, this was the "first step" in the right direction.
If Chrome really wanted a minimal change here to improve security, they might have restricted webRequest to only permit blocking the request but not modifying it.