[kid-icarus]

Yes, if an extension can override CSP directives to allow arbitrary connect-src exceptions, it effectively means that any data in any form on any page is now susceptible of having that data sent to an attacker-owned URL.

The solution doesn't necessitate removing extensions, it just means potentially constraining the API surface of extensions in order to mitigate the attack surface.

[postalrat]

Extensions don't need to modify headers to view anything in the dom or make requests with the credentials of the page it's running in. The only thing it can't do is directly interact with the javascript running on the page (and vise versa).

[rini17]

This is misunderstanding. Extensions can read any data even with restrictive CSP. Malicious extension then can use other channel than the currently opened tab to exfiltrate them. There are many.

Extension users do want the extensions to interact with pages, often including cross-origin requests. That is what extensions are for and they won't work with restricting API surface.