Block downloading of add-ons from mozilla or any websites.
- Block download of XPI files.
- Remove "add from file" menu from about:add-on.
Because maybe the user wants something that isn't supposed to be allowed by default.
In a sense that is like arguing that Noscript shouldn't by default block scripts, "break" pages and require the user to do something to view other people's webpages.
Is that sensible?
I mean I hope there is a workaround for you to get what you want, but acting like a browser-bundle focused around security is completely "off base" in enforcing that (for instance) unknown things don't get to write to a file/filesystem in that manner is maybe a bit "demanding".