From the POV of a web browser user, this points out a potential risk should some trusted extension use this methods to access critical private data. Although care can taken in which extensions to allow, any extension still becomes a potential security problem - ironically even extensions aimed at reducing security risks.
From the POV of a web site providing some kind of service, such as constrained provision of owned data, this points out a potential risk of an extension that would allow users to (considered from said POV) abuse the intended constraints. A logical conclusion is that browsers will move towards preventing such action because they depend upon users of such services, and hence depend upon the services. Finding and rejecting such extensions might be more expensive than simply constraining extension functionality - although that would likely also have a negative impact on extensions which enhance security and which are highly popular with browser users. One possible solution for browsers would be to enable web sites to reject certain extension actions, e.g. "document_start" injection, and inform users which extensions are being rejected and offer users the option to block extension actions on a per website basis. E.g., block extension actions for user-trusted banking sites and user-trusted services, but not block on other sites. Too complex? Maybe. But clearly browsers are moving in the direction of limiting extension capabilities.
I wonder if underlying Firefoxe's "accidental" shutoff of all extensions (May 2019) was a unhappiness with having to deal with this conundrum.
Remarkbox