As a sometimes paranoid person, the huge list of permissions that Honey asked for as a browser extension has always smelled to me like a privacy/security risk, regardless of owner.
Maybe the timing is suspicious on Amazon's part, but it does seem like a useful PSA as worded.
They make their money from commissions, not ads or personal data.
They've been audited by at least one security firm per the article, and their privacy policy https://www.joinhoney.com/privacy says "We do not sell your personal information. Ever."
I only saw the Chrome permissions because Edge shares the same permission model (even pre-Edgmium Edge / "Edge Classic"). I also may have seen it early in its history as well, as I recall looking at it on a "Is this spyware?" ask from a presumably very early adopter.
That said, even if it is the example use case for that lone Firefox permission, that's a hugely broad permission and I'd be hesitant with any extension that asked for it.
As for security audits and privacy policies, I'd be concerned if they didn't do their diligence on that front. It doesn't impact my paranoid skepticism of a startup one bad/dumb pivot away from changing their minds and injecting ads or selling personal data because their business model wasn't working. At least on that side of the equation, PayPal buying them does possibly increase some trust measures with the company as it should be less likely that PayPal would allow such a pivot. (Though PayPal themselves don't have a history of being the best stewards of their ancillary products, and healthy skepticism there abounds as well.)
While I've heard rumors it was unsafe in the past (requesting too many permission etc), I'd think that if PayPal bought it, they would at the very least make it /safer/ than it was before.
Maybe /safer/ doesn't get us all the way to safe, though.
Well, as with almost everything in the privacy/security space it depends on your threat model. From a standpoint of "every startup is one bad pivot away from doing something stupid if their business model has bugs", PayPal is indeed somewhat safer long term.
PayPal themselves are in some folks' threat models (they've mismanaged a few things over the years), though.
1. Disabling Amazon's deep integration into Ubuntu's desktop search, is a security risk.
2. Android tablets that are not Amazon Fire are security risks
3. The reall MongoDb, if self hosted or hosted by Mongo/Atlas is a security risk, now that AWS provides it's own managed version
4. Using the "one-click" patented workflow on any other site than Amazon, is a security risk