The site Joomla! Extensions Directory (JED) exists as a free service to the community. Anyone can post extensions there and extensions exist at all levels of quality and maturity.
If an extension is found to contain vulnerabilities, it will be removed from the site until a safer version is released, but there is no guarantee that the vulnerabilities of every extension have been discovered or reported.
The Vulnerable Extensions List lists the extensions with known vulnerabilities.
To be safe, you must verify the security of every extension you install.
Below is the text of the Joomla! Extensions site disclaimer. Ignore it at your peril.