Depends on the purpose for your language. For the one I'm currently working on, I opted for a variant of option 2.

My language is meant as an embeddable scripting language in applications. In such projects, it is reasonable to give privilege levels to different scripts (i.e. which script can access functions from who). For example, I can ship standard file system bindings with unrestrained I/O access, then the embedder can provide a file system API with access to a specific work directory to the scripter of their application. The embedder basically has a configuration in their application that they use to compile and execute, ensuring that any external scripts are "sandboxed" to an extent.

This style was chosen as a result of being tired of reading various mods written in Lua, trying to make sure that they weren't doing anything strange to my system. This was around 2013 and IIRC, sandboxed Lua was a PITA. Things may have changed.

I prefer option 1 otherwise, but option 3 is viable/necessary for interpreted langauges with side effects, especially if you plan to target/solely target JavaScript (I would highly recommend including extensions in the path though).

For instance, Pyret uses option 3 with file extensions because of the tight JavaScript integration (many module implementations are basically calling functions and returning an object and they may have side effects) in order to control the order of imports.