People easily install these without being concerned about security or privacy. I am actually more curios if these are audited at all or the risk is solely on users?

I use GNOME only in throwaway VM, but even there - only the extensions available in official repository are used.