Once an extension can modify the DOM (and most extensions need it) you loose any hope of permissions. From injecting javascript to sending data modifying an img[src], there's no way to protect your privacy. I don't think that permissions are a viable model here, it's more a problem of trust and auditing.
extensions have the option of working only on a set of domain. So you could only install gmail extensions that work only on gmail.com and not on * as 99.999% of the extensions does. Most need to, like referrer blockers and user agent spoofers. But we only need those global extensions because google actively removes those functionalities from chromium, on a regular basis, after someone in the community adds it. over and over again.
