OMG, this sounds like a massive security risk. That nice developer could easily siphon off all the email to his backend server with this little extension. I install almost no extensions because they are too risky.
All Chrome extensions require trust. That should factor into your decision to install any of them.
This is no more risky than any other extension whose permissions include `https://mail.google.com/`. Anecdotally, that probably includes most extensions seeing as how most of the ones I come across request `<all_urls>` whether or not they need it (not that that's okay).
In any case it's open source, so you can download it, audit the code, and install it locally to prevent auto-updating.
Or use an email client that runs outside your browser, and reduce your threat surface considerably - yes, you still have to worry about other things you do in the browser, but compromising your email compromises all those too via password resets, which isn't the case for anything else if your password discipline is good.
Yes, Gmail makes it harder than it should be to use the email client of your choice. But that's not a problem with email clients. That's a problem with Gmail. It's far from the only one.
Chrome sandboxes fetch requests from extensions and tells the user what permissions the app is requesting, so it’s not actually that bad (barring bugs in the sandbox)
This is no more risky than any other extension whose permissions include `https://mail.google.com/`. Anecdotally, that probably includes most extensions seeing as how most of the ones I come across request `<all_urls>` whether or not they need it (not that that's okay).
In any case it's open source, so you can download it, audit the code, and install it locally to prevent auto-updating.