[MartijnHols]

The article mentions they inject a web component. I imagine a bad actor could add something to that. In this case at the very least the author could add a "I hacked your Grammarly extension" text just via CSS, but I'm sure you can go much further, even more so with other extensions (eg password managers).

[echoangle]

But you could also just add you own lookalike web component to you page that looks like the grammarly one. If people enter credentials there, it's user error.