It's not just a DOM change problem. What if an extension change owner and start sending pairs (domain/user's credentials) to someone else? What if one buy an extension to get bank sites accesses?
What's surprising is that extensions are by default not "Allowed in incognito", however they are allowed when using HTTPS and there is no option to disable them there.
HTTPS shouldn't be thought as just for secure sites, but just as the default. 4chan and this site run on HTTPS yet I wouldn't want to disable extensions for them because of that.
