A couple of months ago I disclosed an issue I had discovered and reported to Apple Product Security: Safari runs disabled extensions. At the time, Apple Product Security felt that there were no actual security implications to this, which is why I went public. However, they seem to have had a change of heart after the publication of my blog post. Apple fixed the issue in Safari 13.1, released today, and credited me in the document describing the security content of Safari 13.1. Under "Additional recognition" at the end it says, "We would like to acknowledge Jeff Johnson of underpassapp.com for their assistance." That's me! So apparently there were security implications, as I argued.
After installing Safari 13.1, I can no longer reproduce the issue with my sample Safari app extension, which I made available for download in my previous blog post. As far as I can tell, the issue is completely resolved. Hooray! A disabled Safari app extension is now truly disabled in every way.