[ufmace]

I don't know about this specific point, but you might want to take a look at the greasemonkey security pitfalls page [0]. There's been a lot of effort put into how all of these parts work together to make sure that malicious Javascript on the page can't interfere with what the plugin or userscript is trying to do.

[0] http://archive.oreilly.com/pub/a/network/2005/11/01/avoid-co...

[AgentME]

Chrome extensions' content scripts are under stronger isolation from the page than greasemonkey scripts are (or were? -- I'm not sure if greasemonkey has changed since). Chrome extensions run in a separate "isolated world" from the page. They never share javascript objects directly. (They do share the DOM, but the isolated world gets its own separate Javascript wrappers around the DOM.) It's not possible to leak a function from the extension to the page, etc.