Not sure about best practices, but what I'm going is like this:
* Create a schema named extensions.
* Install extensions in this special schema only. I don't put anything else in there.
* Put the extensions schema early (left) in the search_path for each role.
* Grant execute access permissively on the functions in that schema.
If there's something deeply flawed about this strategy, I'd be keen to hear about it. On the positive side, I find it simple to understand, maintain, and explain to other people. YMMV
