The old extensions were synchronous and ran in the GUI thread. Running firefox with extensions on a HDD would freeze all the time for me, before electrolysis.
What security model? Pretty much every WebExtension i've come across asks for practically everything and even Firefox's own addon page tells you to only install extensions you trust. At that point if you trust the extension source why bother with the security model in the first place? You already trust the extension developer to not break anything.
The one issue there is with developers that sell out their extensions to shady people. While I love the XUL era way more than this current trash, the security model with XUL would have done nothing to limit the blast radius and the update system would potentially install it silently
That said there used to be a human review system in place for extensions. I'm not sure if they do that any more
That is an issue with the current system too, sure an extension isn't able to look at arbitrary files in your system, but it still is able to look at your bank site, passwords, etc and can still do a ton of damage.
Web extensions aren't safe by default, you shouldn't trust them any more than any arbitrary EXE file.
I have to say, even though webextensions are clearly better and the way forward, i still kind of miss the old tamper data extension. ZAP just ain't as convenient to start up
Strangely I had the opposite thing happen, there were freezes after electrolysis, and it ran super fine before.
The freezes were the network, where if anything was required from the network the page would just pause for many seconds, this happened on all tabs, and after the pause they would all load/come back at the same time. Something was holding up all the network activity in Firefox.
Also there was a large amount of memory used, actually made it better by changing cache settings, the biggest being turning off the disk cache, for some reason that lowered the memory usage drastically.
But as far as I can tell the network pausing issue has mostly gone away now in the last year or so.
There also was not a good security model.
WebExtensions fixed these problems.