They haven't fixed the localhost thing which is in a roughly similar category. Google's response was vague and poor but the problems this extension had are quite serious. More serious than, say, Zoom's recent ones.
The theoretical problems that are also hypothetical because the browser vendor isn't specifically saying that it's what they take issue with here even after the developer tried to mitigate it? And which is apparently pretty common with the prescribed best practice being buggy and badly documented as per the thread below? I'm fine with putting some blame on the extension developers here but this communication by Google is pretty abysmal and for all practical purposes more worrying to me than overreaching permissions that have apparently not impacted security in the real world at this point. The thread below indicates that the localhost thing was/is pretty standard for some use cases, if Google wants that changed they could just communicate it clearly, openly, and with a good upgrade path. Not with vague, unspecific "do something or you're out" messages. Even a few links to documentation that likely didn't exist when this was first implemented would be fine here to change the odd messaging to something actionable.
I just did not see any indication of the permission actually being abused by this specific extension, hence the hypothetical. That's not meant to dismiss that it is an issue but in this specific case I think the communication is worse than the potential problem given that the devs don't seem to have a negative track record and actively work on mitigating it.
As for the redundancy, I blame my lack of coffee for that, apologies.
