I'm wondering when/if this is going to bite me in the butt

I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.

People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.

The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.

- "It can: Read and change all your data on all websites"

It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).

Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.

---

This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".

The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.

It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.