This is definitely a real concern, and we're actually exploring the Chrome permissions to see if it's possible to redirect your traffic, without requiring the "Read all data" permission, because you're right, that shouldn't be the norm.
The permission would need to ask for "your data on go" rather than "your data on golinks.io". I'm not certain that the "your data on golinks.io" would cover it but I think it would.
IMO this permission is something that Chrome should explore, along with other fine-grained permissions. It might be worth making a bug report to Chromium so you can link it when people ask why you ask for such broad permissions. I think the bug report should probably mention that Google uses go links :)
I don't think this is correct. The extension identifies GoLinks embedded in other websites (like internal knowledge bases or emails, I presume) and converts them to a link to the destination.
Ah, so plain text go/test would be linked? That would need full permissions I guess. What wouldn't is for the markdown [jobs](//go/jobs) - that would only need the ability to intercept links on the `go` host - but that wouldn't be nearly as convenient (I didn't realize it would need double slashes before it until now, that makes it a lot less appealing.)
It would still be possible to create a permission that makes it so the code that edits a page can't make any network requests (the output would need to be HTML sanitized, including links), and I'd like to see that, but it would be more difficult to design, implement, and communicate to users.
If it's found to be grabbing more data than it should, people can report them and the extension can be banned from the Chrome Web Store.
It's not ideal but in order to make utilities that work on every page, these permissions are needed.
The code inside the extension bundle (.crx) would need to contain the potential for abuse, and if it gets popular enough, security researchers will look at it. Even if it's not popular, incentives will be at work, because it would be a foolish risk for a company to ship code that could expose a user's entire browser history into the extension, because at any point someone could take a look at the bundle and find the flaw.
It's all about building trust with the company. We don't store or read any information on the sites you visit, we just redirect URLs that contain "go" as the domain, and provide a link for any "go/" links in your browser. We would never risk compromising that trust.
If you take a look at a company like Grammarly, they've built trust with their users, which is why they can have the "Read and modify all data on all sites" and still have 10 million customers. We plan to build the same trust with our customers.