The problem is the granularity of the permissions is extremely coarse, so if you scan the top extensions on the chrome web store a vast number of them request access to All Pages, HTTP and HTTPS included. This is because various useful primitives require that access.
Another problem is that requesting a new permission in an extension update has extremely bad UX, to the point that any thoughtful extension developer will just ask for everything they could possibly need up front. If you request a new permission Chrome just silently shuts off your extension until the user goes digging around in the UI for the permission request. The last time I tried this about 5% of my users figured it out and the rest thought it was broken.
Another problem is that requesting a new permission in an extension update has extremely bad UX, to the point that any thoughtful extension developer will just ask for everything they could possibly need up front. If you request a new permission Chrome just silently shuts off your extension until the user goes digging around in the UI for the permission request. The last time I tried this about 5% of my users figured it out and the rest thought it was broken.