As a publisher of an extension with both of the above, you definitely can. To be honest I’m not sure what the validation process is like inside Google because I only had to provide 2-3 sentences for each major permission I requested.
You do get a notification when installing it that says ‘this extension will have access to: -everything’, so the user should be aware of what’s going on.
The sad thing is, probably half the extensions I have installed have these permissions, and I see them during install and I just sigh and click OK, knowing full well the implications, but still needing that juicy extension functionality regardless.
I recall wanting to install a password manager extension at my previous job, for the tool that the company uses, and even knowing that many others use it and the company doesn’t block it, I still wasn’t comfortable with the permissions it wanted.
You do get a notification when installing it that says ‘this extension will have access to: -everything’, so the user should be aware of what’s going on.