It's a bit unsafe, as someone could hypothetically do that, but mostly safe. Most of Google Analytics does this anyways, and I see keys in code all the time on sites I inspect the code of. I don't know much about the extensions, but from the docs you provided, I can see that it's pretty much the same thing but instead of it being for websites, it's for extensions. Are most people (~50%) going to even bother looking at the source code of your extension? They absolutely could spam your analytics, but in most cases, that would be pointless and of no gain to them. If your extension becomes popular, then maybe a higher amount of people would maliciously use that API endpoint with the key exposed. But you shouldn't worry too much if you make sure to filter out obvious junk data and detect certain HTTP headers so your analytics show only valid stuff from your application/extension. There is a bit of security through obscurity since knowing how to obtain and read the source code of extensions isn't common knowledge, I mean I probably could do it if I really tried, but I don't exactly know.

A rather opinionated but important thing you should worry about that makes this unsafe/bad is, do you really need to use Google Analytics? I know this is subjective, but I feel it's worth putting here. There are articles that explain why it and Google are bad (https://casparwre.de/blog/stop-using-google-analytics/). If you must use it due to your company or project limitations/whatever that's fine, I just think it isn't all that great and is bloat. I'm just saying, but I'll end it there, as I don't want to break SO rules (https://stackoverflow.com/help/deleted-answers) so I made sure to "fundamentally answer the question" first before adding my opinion.