[411111111111111]

The thread model is that maintainers of popular extensions get offers of several thousand $ all the time to pass over ownership. And there have been several incidents in which the new owners added trackers to the extension itself, tracking the user across all domains.

These extensions usually have full access to the DOM, so they can do everything they want to.

So their question is very much warrented: installing as new extension should always be well considered.

[junon]

That's not a threat model, at all.

[nurettin]

The threat is what's important. Nobody will give you a six slide c-level powerpoint presentation.

[junon]

I mean... I don't really have a response to this. This is security modeling 101. To different threat models, this is a varying degree of a threat - anywhere from "not a threat" to "unacceptable threat".

You cannot universally answer the question "how much of a threat are chrome extensions".

[nurettin]

I understand that this is a pet peeve of yours. But what exactly stops you from learning what kind of data chrome extensions have access to (they can see everything on any page you visit and send it to perpetrators) and assuming the worst?