[notatoad]

an extension developer can scope their extension to only run on certain URLs, and if that list changes then chrome will automatically disable it until the user re-authorizes for the new set of URLs.

so they're not a total security nightmare if they're only authorized to run on sites where you don't enter any private data. for example, looking through my extensions list, the py3redirect that autmatically redirects python2 documentation pages to python3 pages doesn't request access to anything other than python.org.

but otherwise, yeah, you're giving permission to execute arbitrary code on any website you visit, which is about as compromised as your browser can get.