The site Joomla! Extensions Directory (JED) exists as a free service to the community. Anyone can post extensions there and extensions exist at all levels of quality and maturity.
If an extension is found to contain vulnerabilities, it will be removed from the site until a safer version is released, but there is no guarantee that the vulnerabilities of every extension have been discovered or reported.
You can find here the VEL Vulnerable Extensions List. This list the extensions with know vulnerabilities.
To be safe, you must verify the security of every extension you install.
Below is the text of the Joomla! Extensions site disclaimer. Ignore it at your peril.