[alangpierce]

They're not saying that their server will leak data, they're saying that an ecosystem of Slack Chrome extensions injecting arbitrary JS is fundamentally much, much less secure than an ecosystem of integrations using official Slack APIs. It's debatable whether Slack has the authority to disallow Chrome extensions, but it's certainly in their interest to discourage them.

If everyone gets used to installing 5 Chrome extensions from unknown developers adding little themes and tweaks to Slack, then some of those extensions are going to be malicious and a lot of people are going to have their accounts stolen. Third-party software should only request as much access as it needs, and Chrome extensions are just bad architecture for this sort of problem, since you can't say "this extension gets to make benign visual tweaks to the page but doesn't get to steal my Slack account". I haven't worked with Slack's API, but nearly every API like it provides granular access and certainly doesn't let you steal the user's account, and all actions are done via an API token that can be tracked and revoked by Slack if your app is malicious.