No, it is not necessary to shut down all extensions, you just need a better security model. Today, one click is sufficient to grant an extension unlimited access to all your request data (including form data) together with the ability to send that data anywhere. In addition, most of the problematic extensions try to trick the user by either not informing him/her at all about the data collection, or by misnoming it as anonymized collection of "usage statistics" (which is often a blatant lie).
Of course it's fine to argue that it's the users problem, but then I don't see why on one hand we're trying to harden browsers against all kinds of sophisticated attack vectors while at the same time giving malicious actors privileged access to all the users data via the App Store. And again, restricting the kind of access that an extension has to the users data would be a first step to amend the problem. Allowing users to report abuse in an effective way would be a second step. Being more strict with violators would be a third one, as today most extensions simply reapply for access after being deleted and often get included again (just wait and see, WOT will also make a reappearance).
Of course it's fine to argue that it's the users problem, but then I don't see why on one hand we're trying to harden browsers against all kinds of sophisticated attack vectors while at the same time giving malicious actors privileged access to all the users data via the App Store. And again, restricting the kind of access that an extension has to the users data would be a first step to amend the problem. Allowing users to report abuse in an effective way would be a second step. Being more strict with violators would be a third one, as today most extensions simply reapply for access after being deleted and often get included again (just wait and see, WOT will also make a reappearance).