This is were the manifest/permission is important. I cannot emphasize enough that I had to code this myself because, at the time, nothing else would be OK with me. This was because of 1- way too big of a code base, 2- way too many permissions.
It is indeed a problem that extensions are not as well maintained as Linux distribution packages but in this specific instance the extension has no right to read any information nor send requests to any server.
If your computer is compromised whatever token/cookie you will get from the authentication will be also compromised.
Assuming the computer is compromised also open a lot more issues, privilege escalation can be done in a lot of ways depending of what is being installed (even sudo was hit by such issues https://www.cve.org/CVERecord?id=CVE-2021-3156 )