The extension requests permission to access "Your data on all websites" and "Your tabs and browsing activity". I guess what I'm saying is that there should be a distinction between permissions for accessing stuff in the browser and accessing external data through AJAX and other resource requests. Besides cutting off extensions themselves from the outside world, Chrome would just have to prevent extensions from injecting scripts or elements that made external requests into loaded pages by disallowing <script>, onclick='', src='' etc... from being added to the HTML and DOM of those pages.
For example, say you wanted an extension to be able to take a screenshot of Amazon, but not get access everyone's private data on Amazon. This is not currently possible in Chrome. To get the screenshot, you need to allow access to Amazon.com in the permissions list of the extension config, i.e. manifest.json. This, however, gives you permission to request resources from Amazon that the user did not load into the browser, like all their previous purchases. And if there's another URL in the permissions list that the extension developer hosts, they can set up an API for the extension to phone home the users private data on Amazon.
