From the horse’s mouth:
Developer-signed Safari extensions are not supported in Safari 12. Safari extensions distributed in the Safari Extension Gallery are deprecated, and Safari 12 is the last release to support them. Safari by default will turn off Safari extensions using canLoad. Instead, use Content Blocker extensions. New submissions to the Safari Extensions Gallery will be accepted until the end of 2018.
From what I can tell there will still be some form of extensions, they’ll just depend on different, read: more secure, APIs. Some more unofficial reassurance from the peanut gallery on Hacker News (via floatingatoll):
Safari App Extensions appears to separate “in-page JS code” from “out-of-page Objective-C code” and introduces a sandbox that protects the in-page JS code from inspection or alteration by the out-of-page ObjC code.
If I understand that correctly, then I feel this is a clear security win. It forces extensions to run in-process (with DOM access) only the code that they shipped at build time, with only a simple data structure channel available to communicate with their out-of-process component.
I’m not sure what attacks on Safari using the old extension model led Apple to sandbox and secure this, but given the “App Store” hint, it seems likely that in-browser malware extensions exist and are being installed into Safari without user consent to spy on surfing and exfiltrate data for tracking. This would be a gold mine for a government-backed attacker, as the extensions are silent once installed and effectively invisible to most users.