For example, say you wanted an extension to be able to take a screenshot of Amazon, but not get access everyone's private data on Amazon. This is not currently possible in Chrome. To get the screenshot, you need to allow access to Amazon.com in the permissions list of the extension config, i.e. manifest.json. This, however, gives you permission to request resources from Amazon that the user did not load into the browser, like all their previous purchases. And if there's another URL in the permissions list that the extension developer hosts, they can set up an API for the extension to phone home the users private data on Amazon.
Here's a sample that demonstrates this: http://src.chromium.org/viewvc/chrome/trunk/src/chrome/commo...
Note that "tabs" and "code.google.com" must both be listed in the permissions.