The thing is, from the POV of both Google and the user, there is no reason to assume a typical extension doesn't do the worst-case. The browser is just too juicy a target, and it's way too easy to make money on user surveillance / data exfiltration.
People rightfully point out that if you have access to current URL, you technically have access to browsing history. The right approach is to assume you will use it, hence the warning. Unfortunately, the only way to prevent this is to ensure the extension never, ever gets to make a networking request on its own, or populates any field that could become part of a network request triggered made by the site, or another extension.
It's a trust issue. It's not just fear that you might theoretically sell your extension to some unscrupulous third party. I don't know you personally. I have no reason to assume you are not an unscrupulous party. At this point there is, like, four or five extensions I trust enough to use, and it's mostly because they're OSS and it would be frontpage news on HN if any of them deviated from the expected functionality even slightly.
Having much finer-grained permission system would help a little, at the cost of making it incomprehensible to most users; there's a limit past which it's too complicated to be useful. We need actual innovation in the trust space - by which I don't mean crypto zero-trust shenanigans, but rather a system in which I can trust that, should the browser extension or phone app turn malicious, the vendor will be legally liable, and that it's actually enforced - thus disincentivizing malicious apps/extensions.
People rightfully point out that if you have access to current URL, you technically have access to browsing history. The right approach is to assume you will use it, hence the warning. Unfortunately, the only way to prevent this is to ensure the extension never, ever gets to make a networking request on its own, or populates any field that could become part of a network request triggered made by the site, or another extension.
It's a trust issue. It's not just fear that you might theoretically sell your extension to some unscrupulous third party. I don't know you personally. I have no reason to assume you are not an unscrupulous party. At this point there is, like, four or five extensions I trust enough to use, and it's mostly because they're OSS and it would be frontpage news on HN if any of them deviated from the expected functionality even slightly.
Having much finer-grained permission system would help a little, at the cost of making it incomprehensible to most users; there's a limit past which it's too complicated to be useful. We need actual innovation in the trust space - by which I don't mean crypto zero-trust shenanigans, but rather a system in which I can trust that, should the browser extension or phone app turn malicious, the vendor will be legally liable, and that it's actually enforced - thus disincentivizing malicious apps/extensions.