A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.
As @Deebster points out, on Android & iOS apps need to ask for permission before accessing sensitive commands beyond the kernel. VisualStudio (as far as as I know) doesn’t have a permissions layer. Also the article also mentions that scrutiny is lenient since VSCode is a Dev tool used by (on average) knowledgeable users.
100% agree with you, Microsoft is mostly cost cutting/shirking responsibility by not implementing tighter controls on external code on their tools.