I think the general pitfalls of a browser extension is that you're essentially trusting that the browser, which is acting almost as an OS in terms of separating the memory contents of different extensions, to work correctly. The idea is if you have an extension doing crypto, an extension that is syncing data with google has no way of reading the data from the crypto extension. You also have to make sure the same applies for websites as well...extensions should be able to grab data from sites, but not vice versa. Without this kind of perfect separation, your crypto extension is really just a sitting duck and none of the data in it is safe.
As far as how they differ among browsers, Chrome (and I suppose Opera, now as well) does a good job sandboxing one extension from another, and from stopping websites gaining access to running extensions. Is it perfect? I can't really answer that.
One problem with Chrome extensions is that unless you want your users to have to download the .crx file, and drag and drop it into their browser, you have to use the Chrome webstore. This is especially retarded because in order to upload your extension to the Chrome webstore, they either need your private key you signed the extension with, or they generate a private key for you. This means that your private key is not private and extension signing is a complete joke. So if you're releasing an extension for the security-literate, it makes sense to create a .crx file, sign it yourself with your own PGP key, and offer it as a separate download that they have to drag+drop into Chrome. The chrome webstore is not a secure means of distribution.
Firefox, on the other hand, is more forgiving with installations but has no real sandboxing. This means it's possible for one extension to read another's data. Plans to introduce threading (and I think as a consequence of threading, sandboxing as well) are in the works, but it's still going to be a while until Firefox gives extensions the same protections Chrome does.
Really, if you can, it's best to do crypto in a native app where the sandboxing is done for you by the operating system and you don't have to rely on a browser. Node-webkit is a great way to do this since it merges the two worlds nicely (at least for desktop).
I would be greatly interested if you could expand on some of the pitfalls of browser extensions and how they differ among browsers. Thanks in advance!