Above commenter got it exactly right. Yes, if you've installed extensions with malicious code, your data anywhere can be exfiltrated.
That is one of the privacy dangers of cryptpad, and it's not particularly far-fetched. Specifically with shared documents, one needs to trust that every extension every user who visits your document has installed is non-malicious in order to have an assurance that only approved people will see those docs.
Of course this is a browser-based consideration that would affect shared docs on any browser-based platform, but as a privacy-focused app I think it's fair to consider modes of failure inherent in it being a browser-based app. Signal and other Desktop applications, by contrast, wouldn't have these same risks (and Cryptpad could similarly bundle its client as an electron-based app to provide better security).
That is one of the privacy dangers of cryptpad, and it's not particularly far-fetched. Specifically with shared documents, one needs to trust that every extension every user who visits your document has installed is non-malicious in order to have an assurance that only approved people will see those docs.
Of course this is a browser-based consideration that would affect shared docs on any browser-based platform, but as a privacy-focused app I think it's fair to consider modes of failure inherent in it being a browser-based app. Signal and other Desktop applications, by contrast, wouldn't have these same risks (and Cryptpad could similarly bundle its client as an electron-based app to provide better security).