Alas, Firefox doesn't allow changing any keybindings without modifying the source code. The bugzilla ticket about this is already 2 decades old.

Incidentally, anyone know which Firefox flag to set to disable running JS in PDFs entirely?

It's pdfjs.enableScripting in about:config. Note that Firefox is more strict with PDF scripts to begin with, and the linked Linux PDF only works in Chromium-based browsers.

MV2 extensions should work in Thunderbird without modification. I've made a couple of simple extensions that work like a charm in both Firefox and Thunderbird, but I'm not sure if more complex extensions would have issues. The documentation says thus:

Some information listed on MDN may not apply to Thunderbird and some API methods may not be supported. Each API page should include a compatibility chart and if that includes support for Firefox, it should work in Thunderbird as well.

Some MV3 extensions will not work in Thunderbird. See this page for list of missing functionality.

navigator.clipboard.read()/write() has been enabled (see documentation). A paste context menu will appear for the user to confirm when attempting to read clipboard content that is not originated from a same-origin page.

Very nice. The old execCommand API was annoying.

Isn't it already game over if malware can write into your hostfile? At least on Windows you need some elevated access for it, which means such malware could just read/write the target program's memory directly instead of resorting to clunky MitM.

Yeah, I also found out when I was manually testing our product's logged-out UX at work and the 2nd trial started logged in.