This, just like Mozilla’s screenshot addon, and all the other examples, shows why it’s an insane idea to mix addon content with the websites, and why it’s important to make sure that addon content can run on the UI layer of the browser, and not within of the content of the sites.
Relying on "best practices" is always a security disaster waiting to happen, if you don’t enforce security and separation in the design of the APIs and languages already, you won’t get security.
Wouldn’t such a restriction eliminate the main selling point of extensions, which is that they can modify content on the page?
The extension permissions API already offers enough restrictions. As a user, I simply do not install extensions that need access to all pages, or I only enable them on pages where I need them.
Some extensions like Google Inbox for Chrome will inject a single `iframe` that points to a `chrome-extension://` page, so while the page might notice the element, it can't access its content.
I think you could use the Shadow DOM in closed mode to prevent any information from leaking. [1]
That only works for extensions that want to show their content in a separate overlay layer from the page. If the extension wants to show its content inline with the page's elements, pushing the page's elements out of the way and freely flowing with the page's elements, then that doesn't exactly work.
An extension can stuff its UI within an iframe that the host page can't manipulate, but that does come with some UI limitations.
As long as the extension UI is rendered where the page can also render something, it will be vulnerable to phishing. E.g. https://www.seancassidy.me/lostpass.html
Relying on "best practices" is always a security disaster waiting to happen, if you don’t enforce security and separation in the design of the APIs and languages already, you won’t get security.