Even in the limited example given there is a clear path of attack. An extension that is permitted to access mail.gmail.com can simply collect its target data and then email it to its self and delete the email afterwords.
Exactly. That's because the assumption that "extensions which deal with sensitive information are perfectly safe as long as they do not disseminate this sensitive information arbitrarily" is wrong. It doesn't just have access to information but to functionality too. So an extension which is supposed to make your bank's website less sucky, can send you money to someone else. Though, of course, the purposed approach could limit the impact (to one site only) of such extensions.
Right, minimizing attack surface is pretty important. Though the
described attack scenario (a form of self-exfiltration attacks [1]) is
something we did think about. (The details of the core IFC mechanism
are describe in the COWL paper [2].) For example, if the extension
only needs to read data from gmail.com it is tainted with a unique
origin. (In general, IFC can be used to deal with both
confidentiality and integrity.)
