When inspecting the source I grep for http/network calls and anything that looks suspicious. Most extensions are fairly simple and it’s easy to see when they’re not malicious.
Problem is, those extensions can update their source at any time. Ownership can change. A good extension can turn malicious while you aren’t looking. For that reason, if I really need an extension with “all website” permissions, I make sure to disable it and only enable it when I use it.
The only long running extension with those permissions on my machine is uBlock.
And of course some extensions do need access to the whole page, including password fields. For example a password manager obviously needs access (though it shouldn’t need to read the password field, only write to it).
As to why it’s not possible to have super granular permissions (i.e. restricting to certain elements on the page) — that would break the whole extension model, because scripts you inject into the page would have to operate on a “shadow DOM” of sorts. Also properly sand boxing within a single DOM would be porously impossible.
Now that I type it out though, I could see how maybe it would be possible to construct a restricted, parallel DOM for an extension to interact with... but I really don’t think the complexity is worth changing the status quo.