A better behavior would be selective approval. Extension asks for permissions for X, Y, and Z. You allow X and Z but deny Y. Any features affected fall back to an alternate state or are disabled. User is given clear access to control the permission states and clear feedback as to which permissions affect which features. Information about feature dependencies is available prior to install, particularly if they are arbitrary dependencies like "send us all your personal info or the software does nothing."
Is this going to happen? Probably not. Application-level firewalls help somewhat, in some cases, for expert users. Sometimes "use different software" helps, but there are many cases where that's not viable.
I think an even better policy is to let the browser prompt if the permissions that the extension demands are grossly above those required for its purported purpose.
It may seem like a hard machine learning problem, but it seems to me that one could catch the most blatant offenders easily-- changing background colors at \.facebook.com should not require the ability to communicate with malwarehost.com or the ability to read data across all websites.
Combine this with the fact that most extensions people install are not* malicious, and you already have a decent training corpus (to treat this as a one-class classifier)
I'd be happy just seeing prominent and clear icons for major threat types, e.g. access to personal data, elevated device access, and so forth. Make them large and suitably threatening. It wouldn't completely solve the problem, but it could take back a lot of ground.
A better behavior would be selective approval. Extension asks for permissions for X, Y, and Z. You allow X and Z but deny Y. Any features affected fall back to an alternate state or are disabled. User is given clear access to control the permission states and clear feedback as to which permissions affect which features. Information about feature dependencies is available prior to install, particularly if they are arbitrary dependencies like "send us all your personal info or the software does nothing."
Is this going to happen? Probably not. Application-level firewalls help somewhat, in some cases, for expert users. Sometimes "use different software" helps, but there are many cases where that's not viable.