Why these browser extensions cannot live in a guarded sandbox? Extensions are given full access to whatever is available on any page. I had legacy React developer tools and Redux DevTools installed for years. What a great attack vector.