[skybrian]

The problem they’re worried about is untrustworthy browser extensions that have broad permissions to do harm. There are over 100,000 extensions and from a security standpoint, not having good-enough sandboxing is a vulnerability.

More: https://lcamtuf.substack.com/p/the-asymmetry-of-nudges

> In reality, Manifest V3 was meant to solve a real problem — and to do so for the right reasons. I know this because about eight years ago, we set out to conduct a survey of the privacy practices of popular browsers extensions. We were appalled by what we uncovered. From antivirus to “privacy” tools, a considerable number of extensions hoovered up data for no discernible reason. Some went as far as sending all the URLs visited by the user — including encrypted traffic — to endpoints served over plain text. Even for well-behaved extensions, their popularity, coupled with excessive permissions, opened the doors for abuse. The compromise of a single consumer account could have given the bad guys access to the digital lives of untold millions of users — exposing their banking, email, and more.

Maybe they could have avoided controversy by grandfathering in a few popular extensions and watching them closely?