You're assuming that the attacker either 1) controls Chrome's sourcecode so fully that they can modify it and nobody else will review the change and/or 2) this new api will introduce a security bug.
#1 is a possibility for every single piece of hardware and software that we interact with. There is nothing that makes Chrome more vulnerable, other than being a higher profile target. That's countered by higher levels of scrutiny from the whitehat community and Google themselves.
#2 applies to any feature that they add. There is nothing special about a Bluetooth API. We're already trusting browsers to handle stuff far more sensitive than this. Chrome is one of the most thoroughly tested, hardened, and sandboxed pieces of software there is. If it's not provided by the browser (which has essentially replaced the OS these days in terms of running 3rd party code) then we have to trust some 3rd party extension to do the device interaction, and to do it with the level of security that Chrome would. Sorry, but I don't see that as any better or likely. Whether it's the Chrome app on a mobile phone, or Chrome on the desktop, this will make working with Bluetooth much easier, while keeping things as safe as can be reasonably expected.