[edjroot]

> Showing users how much data a given extension sends to a backend and ideally making that data transparent would be enough to stop most of these practices

Exactly! I find it abhorrent that not even Firefox has something straightforward like that as a “first-class” feature. Most of the extensions I use shouldn't need to communicate with any server at all to begin with, so having to just trust the author's words or manually audit the code on every update (or stop them altogether) and maybe fork the project (if that's even possible)... Doesn't make sense.

The one thing I'm aware of that these extensions could do to sidestep such a mechanism is to inject scripts on pages that then exfiltrate your data, but injection could also be blocked, and as a last resort I trust uMatrix would have me covered ;)