While these points may hold true, I’ve often seen the statement thrown around in chats and various forums that, “dart sux.” I don’t understand the hate, nor the juvenile phrasing.
Yes, if an extension can override CSP directives to allow arbitrary connect-src exceptions, it effectively means that any data in any form on any page is now susceptible of having that data sent to an attacker-owned URL.
The solution doesn't necessitate removing extensions, it just means potentially constraining the API surface of extensions in order to mitigate the attack surface.
Can you specify which policies are a nightmare to develop on? As a security-minded UI eng, I warmly welcome any new security policies that enable me to harden my applications and prevent exfiltration of sensitive data.