You are incorrect. You can inspect extensions that you download to compare the source code to the github release, or even audit the specific source you have have downloaded. Please don't spread FUD.
Would it be feasible for browsers to have a console window that enumerates add-on's to display things like URL's contained in the code, what is stored in local storage, session storage, etc? Asking because this topic comes up a lot and might not if the browser had a way to show explicit detailed permissions and capabilities vs. high level abstract permissions. This would be for less than technical people that probably won't be viewing source code, but could click a shiny button in the add-on page and get some idea if the addon shows URL, http(s), number of times the addon has used GET or POST or other methods: