Stepping back for a moment: what is this rogue program?
The reason it is able to claim to be org.gnome.Screenshot is that it is being run unsandboxed, as the same user as your shell. No amount of patching the shell with extensions will protect you from a malicious unsandboxed program, because it can also unload your extension or delete it from disk.
If you want to put a security boundary around a program, then you need to put it in a sandbox.