Because if the add-on just opens up a backdoor, the author can do more specifically targeted things at their whim rather than blasting everyone who installed it? Harder to get caught.

Still zero need for this kind of exploit. The author of the addon can already do specifically targeted things at whim at a later point in time.

I mean it was already maliciously exploited in a highly used addon. It was a lot easier to slip in a short one liner than some highly suspicious "hack the user" blob of code. It was also extremely flexible. They could then do different things to each person instead of one fixed attack.

You’d naturally expect a game’s add-ons to be sandboxed, perhaps with permission-requests, ala mobile, wouldn’t you?

The installation of an add-on shouldn’t inherently give it free reign, with the only possible defense being trust & source-code review.

Addons are sandboxed. They can affect game interface (in a limited ways) and other addons, but not other software or files. And it's kind of hard to require further sandboxing, because that would limit addon power and one of the reasons people like WoW exactly because addon allow very deep interface customization.

That's why I'm thinking you'd naturally involve a simple permissions model [let script access chat?], just to avoid surprising behavior. Or more specifically, in-game I/O operations (eg trading, sending, etc). The latter would really protect you from everything malicious I can think of, outside of deleting your inventory kind of attacks

There're protection mechanisms for many actions in the game. You can't use spells with addons, you can't move your character, etc. Many actions require hardware event, e.g. you can't just buy something, you need to press button for that. If you're sending mail with gold, you need to confirm that you really want to send that gold and addon can't override that confirmation (so malicious addon can't invisibly send your gold to someone). There wasn't protection for trade window, so malicious attacker could steal your gold and/or items, but Blizzard added that protection very quickly after that exploit was found.

It's just a game, so they don't take it very seriously, I guess. They could just revert transaction using their moderator powers if something bad happens.