[djyde]

I understand your concern. I think "access to much information" means this extension require <all_url> host_permission, which I don't want to either but it must.

Because custom AI provider's API base url is submit by user. If I want to call the API on background script, this base url must be listed on host_permissions. Otherwise it will cause a CORS problem.

optional_host_permissions may fix this problem, but since the base url is set by user, it's not possible to use this workaround.

Any suggestion?

[tough]

you could give paying customers access to the code to run themselves (not open source)

if that works for you/your privacy-aware customer they can inspect the code/build it/ run their own version

[djyde]

Actually, the nice thing about chrome extensions is that users can view all requests made by content_script and background script through devtool. This is much more intuitive than checking the code.