I mean, we can argue lots of things, I guess ;P, but an extension already has access to that authentication token, and pretending otherwise is a bit... "performative"? The expectation I have with an extension--as someone who used to manage an entire ecosystem of such extensions of native software for a decade--is that it is a true extension of the application that it is extending, similar to if we had the original source code to patch.