Yes, regular pages are limited to their same origin policy. Extensions, when they request it, are not. This extension requested it, so it is capable of downloading files from any server to a string. It also requested unsafe-eval, this lets it eval a string. Now, when you add one and one together, you have two features combined in a malicious way. But not a bug.
Sure, things should be different. But they are the way they are, and considering the way they are, this is not a bug. And certainly not bug-bounty'able.
Sure, things should be different. But they are the way they are, and considering the way they are, this is not a bug. And certainly not bug-bounty'able.