I use vscodium which is vscode with all the telemetry ripped out. Anybody can make malicious extensions for any IDE, so I don’t see what’s speccial in that regard. It’s just a reminder that you want to be careful about extensions you install.