[floatingatoll]

The problem with trying to cure this security model is that once an extension can rewrite page HTML, it can inject transmission of your data to a third-party, and so any addon that affects pages (such as this one) is correctly labeled as "can access your data", because it absolutely can.

To make any headway on this, you would need to start considering how to prohibit JavaScript from transmitting page content to remote servers if it's been modified by an addon, but that would then break all JavaScript modified by adblockers, and so there's not any easy solution there either.

If you can think of a valid security model here that isn't vulnerable to today's arbitrary JavaScript execution issues, I think you'd find a willing audience. Chrome tried to solve this by nailing down what extensions can do, and the adblockers all flipped out because they won't be able to run arbitrary JavaScript in-page anymore. It remains unclear how this can ever be solved.