The fact that third-party addons can even touch sensitive settings in the user.js prefs is a massive security flaw in Mozilla's implementation of the WebExtensions API. Addons should be sandboxed/containerized or require privilege escalation before touching files on the disk.
This. The whole point of this security feature is to prevent extensions from interfering with Mozilla pages. What's the point of this when addons can bypass turn it off themselves?
Only extensions that have a native messenger can do this (which requires users to accept a scary sounding permission and install a separate application on their computer)
