There's still a fuse for the DCM even in this car but:
- It has an internal battery and will keep running for quite a while after pulling the fuse. This is a safety feature in case you get in a crash that disconnects the 12V battery
- It will break your in-car microphone as discussed. Repairing that requires opening up the dash
- That won't do anything for disconnecting the GPS antenna
In a perfect world they wouldn't collect it either, but I'd rather Apple have it than the car manufacturer (or rather, only Apple vs both Apple and the car manufacturer)
Also even with no modem, if you use CarPlay on your phone _via Bluetooth_ then the car will just use your phone's internet connection, so I only use CarPlay via a wired USB connection.
Aside from that the car works great, everything is 100% functional. I suppose I don't get OTA updates, which I'm fine with.
I'm only going to address 1) and 2) since the rest doesn't seem related to Chrome extensions.
1) Again, anyone who is willing to audit extension code can easily download it.
2) Extensions are auto-updating, so under the proposed solution the git hash would simply update with the new (say, backdoored) code. The fact that the extension is tied to a git commit hash has done nothing to protect you.
What's the difference between auditing an extension's code on github vs auditing the code from the Chrome store? It seems like anyone who is willing to do an audit can just as easily download the code directly. Sites like Duo's crxcavator [1] also do exactly that.