You're conflating a few different things. There's origin security and there's local client security. Origin security is what protects you from one site accessing browser data from another site. Any discussion of extension permissions would apply primarily to origin security, because once you install anything with local client access you've already lost control. And when considering origin security, separate profiles within the same OS-level user account provide one method of strict enforcement.
Now, if your concern is client level security against exploits (not malicious extensions or plugins), then you're far better off relying on the Chrome sandbox over a separate user account. The sandbox provides vastly lower privilege and much smaller attack surface than a normal user token, and OS-level privilege escalation vulnerabilities are far more common than sandbox bypasses. You can certainly use your approach in conjunction with the --no-sandbox option in Chrome, which should allow Chrome to work with runas. However, you'd be downgrading your security with that approach.
The important thing to consider, however, is that no user should be expected to invest their own effort in a multiple profile solution. So, until someone creates something like the Chrome sandbox but with per-process origin isolation, there won't really be a general purpose solution providing a superior form of origin based security.