Not sure about best practices, but what I'm going is like this: * Create a schema named extensions.
* Install extensions in this special schema only. I don't put anything else in there. * Put the extensions schema early (left) in the search_path for each role. * Grant execute access permissively on the functions in that schema. If there's something deeply flawed about this strategy, I'd be keen to hear about it. On the positive side, I find it simple to understand, maintain, and explain to other people. YMMV
