I'm an developer on E2E team as well and can confirm that there's no 'hardening' going on. E2E is, to the best of our knowledge and we have expressed what that exactly means in our threat model: https://github.com/google/end-to-end/wiki/Threat-model. E2E is under Google VRP (https://www.google.ch/about/appsecurity/reward-program/), so if you're aware of any vulnerabilities, let us know.

E2E extension is not production ready, but I myself am using the compiled version as it is, in my biased opinion, the most secure of existing PGP-in-the-browser extensions.