Actually homeManager can manage Firefox, installing extensions etc... Only it's a hack-ish and not much reliable way.
So no, actual Mozilla strategy does NOT work to stop malware's on Windows nor commercial OEMs customization, as a matter of fact made only life of pro users and admin harder and open the door for less safe setup (for instance extensions added via homeManager may not get updated by FF).
We would and should expect that it is be possible: unless Firefox signs configuration changes per-user, server-side (violating their privacy intentions), the whole configuration code is open source, and can easily be easily used or reverse engineered to make an external editor.
This doesn't change that a sanctioned API invites abuse far more readily than reverse-engineering, especially when spyware is less frequently updated than Firefox itself. That there isn't a sanctioned API, and that the de facto API can and does change every version, is an advantage for Firefox against potential attackers.
If this is something you are sorely lacking, Firefox has also been straightforward to modify and compile, in my experience. You can always share a patch and enjoy these features as part of a smaller community, without compromising the userbase as a whole.
So no, actual Mozilla strategy does NOT work to stop malware's on Windows nor commercial OEMs customization, as a matter of fact made only life of pro users and admin harder and open the door for less safe setup (for instance extensions added via homeManager may not get updated by FF).