It takes less than 5 seconds to upload personal data to a server from a compromised extension.
Not saying you're doing this but it was the first threat scenario that came to mind and it's not even something particularly uncommon in the browser extension world.
I'm going to go ahead and say it then, this is suspicious as fuck.
It would have been slightly less suspicious if the response to "this is a security concern" would have been "oops yeah we see that now, let's disable that requirement until we gain some trust first".
I do not trust a company that brands itself as privacy-oriented when they insist on peddling a security vulnerability to their users "because Google is evil so trust us". Google may be selling my data but at least they have a lot to lose so they are likely to abide by legal guardrails.
Especially since there is no value-add to the extension. It's whole purpose is to make it harder for less tech-savvy users to stop using the service.
Not saying you're doing this but it was the first threat scenario that came to mind and it's not even something particularly uncommon in the browser extension world.