Right, minimizing attack surface is pretty important. Though the
described attack scenario (a form of self-exfiltration attacks [1]) is
something we did think about. (The details of the core IFC mechanism
are describe in the COWL paper [2].) For example, if the extension
only needs to read data from gmail.com it is tainted with a unique
origin. (In general, IFC can be used to deal with both
confidentiality and integrity.)