[mschuster91]

Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things.

[unglaublich]

True, but you'd expect the same CORS rules to apply for extensions. Only pages originating from an extension are by default able to load resources from said extension.