Not mandatory to use extensions.gnome.org, you can install it manually as well.
Note that GNOME shell does not allow a random website. It only allows the site extensions.gnome.org via https. LWN already covered all the security tradeoffs before.
Regarding privacy, this is setup by the same people who made GNOME shell. So maybe we are like your phone and we already track everything. Or perhaps we can be trusted. :P But you can still install manually.
The installation is not done by the browser btw, it is handled by GNOME shell (site->plugin->shell; shell making the decision + taking action in the end).